Description:

The Amazon Elasticsearch Service (ES) internal user database is a secure way to manage access to your ES domains. By enabling the internal user database, you can create and manage users and roles for your domain, and restrict access to specific resources.

Rationale:

The internal user database provides a number of security benefits, including:

  • Increased security: The internal user database is more secure than the default open access configuration.
  • Fine-grained access control: You can create and manage users and roles, and restrict access to specific resources.
  • Easier management: The internal user database makes it easier to manage access to your ES domains.

Impact:

Enabling the internal user database has no impact on the availability or performance of your ES domains.

Default Value:

By default, the internal user database is not enabled.

Pre-requisites:

  • You must have access to the AWS Management Console or the AWS CLI.
  • You must have the IAM permissions necessary to create and manage users and roles.

Remediation Steps:

To enable the internal user database, follow these steps:

  1. In the AWS Management Console, go to the Amazon Elasticsearch Service page.
  2. Click the name of the domain that you want to enable the internal user database for.
  3. Click the Security tab.
  4. Under User management, select Enable internal user database.
  5. Click Save.

Test Plan:

To test that the internal user database is enabled, follow these steps:

  1. Create a new user in the AWS Management Console or the AWS CLI.
  2. Try to access your ES domain using the new user.
  3. If you are able to access the domain, then the internal user database is enabled.

Implementation Plan:

The following are the steps involved in implementing the process:

  1. Enable the internal user database in the AWS Management Console or the AWS CLI.
  2. Create users and roles for your ES domain.
  3. Restrict access to specific resources.

AWS CLI Process:

To enable the internal user database using the AWS CLI, you can use the following command:

aws es update-domain-config --domain-name my-domain --enable-internal-user-database

Using AWS GUI:

To enable the internal user database using the AWS Management Console, follow these steps:

  1. In the AWS Management Console, go to the Amazon Elasticsearch Service page.
  2. Click the name of the domain that you want to enable the internal user database for.
  3. Click the Security tab.
  4. Under User management, select Enable internal user database.
  5. Click Save.

Backout Plan:

To back out of the process, you can disable the internal user database. To do this, follow the steps above, but select Disable internal user database instead of Enable internal user database.

Note:

  • The internal user database is a regional resource. This means that you must enable it for each region where you have an ES domain.
  • You can use the AWS CLI or the AWS Management Console to manage users and roles in the internal user database.

Reference:

  • Amazon Elasticsearch Service documentation on the internal user database: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/fgac.html

Section 2:

  • Tags: security, access control, es, internal user database
  • Keywords: enable, disable, manage, users, roles, resources