Setting Up OpenSearch User Permissions for an AWS Role

If you're using AWS OpenSearch in your Immuta installation, use this how-to to set up the proper access and permissions needed for AWS role authentication.

Requirements

• An OpenSearch domain

• The user setting up the permissions must have the following permissions:

  • Administrative access to your AWS account

  • Master user on your OpenSearch domain

Create an IAM role for Immuta audit

Create an AWS IAM role that Immuta will assume to send audit events to your OpenSearch domain.

1. Create an AWS IAM role with credentials using the AWS SDK's default credential provider chain. This method requires a configured IAM role for a service account (IRSA). Contact your Immuta representative to customize your deployment and set up an IAM role for a service account that can give Immuta the credentials to set up the integration.

2. Create the access policy for this role. It should include at least the permissions provided in the example below, but might need additional permissions depending on other local setup factors. You can find the full list of permissions in the AWS docs on the AWS actions, resources, and condition keys page. Note: If you use this example, replace the content in angle brackets with your region, AWS account ID, and domain.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "es:ESHttpDelete",
                "es:ESHttpGet",
                "es:ESHttpHead",
                "es:ESHttpPatch",
                "es:ESHttpPost",
                "es:ESHttpPut",
                "es:DescribeDomains",
                "es:ListDomainNames"
            ],
            "Resource": "arn:aws:es:<region>:<Your AWS Account ID>:domain/<your-domain>/*"
        }
    ]
}

1. Name the role and save.

Set up domain access policy

Amazon OpenSearch Service domains are controlled by a resource-based access policy that determines which IAM users or roles can connect to the domain and perform operations.

1. Follow AWS documentation for updating a resource-based policy. Immuta supports two options for domain access:

   1. Only use fine-grained access control: If you select this option, no additional actions are required this step.

   2. Configure domain access policy:

      1. Edit the access policy to allow the role OpenSearch access and management operations. Grant your AWS IAM es:* through a resource-based policy. Note: If you use this example, replace the content in angle brackets with your region, AWS account ID, and domain.

2. Save your changes.

Configure OpenSearch permissions

In the OpenSearch console, you must create or edit a role that grants Immuta’s IAM role access to the appropriate cluster and index permissions.

1. Follow AWS documentation for creating a new OpenSearch role for your audit IAM role.

2. Grant the following permissions to the new role.

   1. Cluster-level permissions:

   2. Index-level permissions for * index:

Map the IAM role to the OpenSearch role

Once the IAM role is created and OpenSearch permissions are updated, allow the role to assume permissions inside OpenSearch.

1. Follow AWS documentation for updating a backend role in OpenSearch.

2. Select the OpenSearch role created for Immuta audit access.

3. Under Backend roles, add the ARN of your IAM role:

4. Save your changes.

Optionally create a trust relationship

If Immuta is deployed in an AWS account that is different than OpenSearch, then you must configure a trust relationship between the Immuta role and an OpenSearch role. Follow AWS documentation for creating IAM policies in the Amazon S3 console.

Once configured set SEARCH_AWS_ROLE_ARN with the role for Immuta to assume in the immuta-values.yaml.

After these steps are complete, your audit role should have the required permissions, and you can complete the Immuta install using the IAM role.