Deploy AWS Cognito Secured Elastic Search Domain with Cloud Formation templates.

Danushka Fernando
2 min readMar 6, 2020

--

Recently AWS started to support the capability of securing AWS Elastic Search Domains with AWS Cognito. I was going to use that feature and found it hard to find a cloud formation template to deploy this at once. So I developed the cloud formation template [1]. Thought of sharing it so next time every body can launch the template without any fuss.

Here I am editing the same code sample that I used in my previous blogs. So I have several lambda functions that

  1. Push logs from cloud watch logs to elastic search
  2. Rollover log indices
  3. Delete old indices

Here for each lambda I was creating a role for each lambda via cloud formation. But I changed it to have single lambda execution role for the lambdas that connects to a elastic search domain. So now I create the lambda execution role with the elastic search cloud formation template [1] and the ARN of the role used as an input for other cloud formation templates that creates lambda functions for above use cases[2] [3] [4]. Its implemented in this manner for the ease of implementation and automation of access policy of the elastic search domain we create[5].

And also obviously I had to change the lambda code and all changes are there in the same GitHub repository. Here I used AWS SDK and the AWS HTTP client to use session token for authenticate to the elastic search APIs. I simply followed the AWS tutorial in [6] to change my lambda functions to the secured elastic search endpoints.

Hope this helps someone to solve a problem.

References

[1] https://github.com/danushkaf/aws_elasticsearch_centralized_logging_with_rollover/blob/master/es-secured.yaml

[2] https://github.com/danushkaf/aws_elasticsearch_centralized_logging_with_rollover/blob/master/LogsToES.yaml

[3] https://github.com/danushkaf/aws_elasticsearch_centralized_logging_with_rollover/blob/master/Delete_Old_Logs.yaml

[4] https://github.com/danushkaf/aws_elasticsearch_centralized_logging_with_rollover/blob/master/Rollover.yaml

[5] https://github.com/danushkaf/aws_elasticsearch_centralized_logging_with_rollover/blob/master/es-secured.yaml#L180-L189

[6] https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-request-signing.html#es-request-signing-node

--

--

No responses yet