Skip to main content

AWS OpenSearch/Elasticsearch IAM

The Pulse Platform can be used to monitor AWS OpenSearch and AWS Elasticsearch and add an important layer of observability into key metrics of the cluster, alerting, insights and recommendations, and support. The Pulse Agent fully supports AWS OS/ES with all their flavors and configurations.

This page explains how to set up pulse for AWS OpenSearch and AWS Elasticsearch using IAM. If you want to authenticate using fine-grained security, see integration.

The supported integration method is using Pulse Agent.

Using the Pulse Agent

If you haven't done so yet, follow the instructions under the Pulse Agent integration section for installation and basic configuration instructions.

The clusters section of the configuration file should point to the cluster endpoint, and include the relevant credentials.

For AWS OpenSearch use:

  - type: aws-opensearch
    hosts: https://my-aws-es-cluster-fjaow83nfdjw7dh2o98.us-east-1.es.amazonaws.com/
    aws_access_key_id: AKIA.....
    aws_secret_access_key: .....
    aws_region: us-east-1

For AWS Elasticsearch:

  - type: aws-elasticsearch
    hosts: https://my-aws-es-cluster-fjaow83nfdjw7dh2o98.us-east-1.es.amazonaws.com/
    aws_access_key_id: AKIA.....
    aws_secret_access_key: .....
    aws_region: us-east-1

If you want to limit the pulse user from accessing endpoints such as search, here's the list of endpoints required by the agent. You can set access conditions for the various resources within the cluster definition.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "es:ESHttpGet",
      "Resource": [
        "domain_arn/",
        "domain_arn/_cluster/state*",
        "domain_arn/_cluster/settings/",
        "domain_arn/_cluster/stats*",
        "domain_arn/_cluster/health/",
        "domain_arn/_cluster/allocation/explain/",
        "domain_arn/_cat/recovery/",
        "domain_arn/_stats/",
        "domain_arn/_nodes*/stats*",
        "domain_arn/_cat/nodes/",
        "domain_arn/_snapshot/",
        "domain_arn/_cat/snapshots*",
        "domain_arn/_snapshot/_status/",
        "domain_arn/_cat/indices/",
        "domain_arn/_cat/templates/",
        "domain_arn/_template*",
        "domain_arn/*/_settings/",
        "domain_arn/_tasks*",
        "domain_arn/_cluster/pending_tasks/",
        "domain_arn/_plugins/_knn/stats/",
        "domain_arn/_plugins/_ism/explain/*",
        "domain_arn/_dangling/"
      ]
    }
  ]
}