I have a question regarding AWS Lambdas and setting the Access(resource_ policy on AWS Opensearch (using Elasticsearch 6.8 under the hood)
What I want to do is to set up the following access policy on AWS Opensearch. It seems a bit weird, but this is necessary to do it this way for some reasons (I wont go into detail on those yet)(1) I want ALL roles (AWS: ) to be able to everything (es:) EXCEPT for them not to be able to delete anything from my Opensearch instance. In other words I want to prevent them from doing an ESHTTPDelete operation.(2) However, I DO want STILL the Lambda (that has the role arn:aws:iam::123456789:role/testelk-purge-elk-role to be still able to do the ESHTTPDelete.
Therefore, my actual access policy that I have is as follows: (Obviously I have changed the names). This should work, although it is a bit convoluted. HOWEVER, it does not work due to some way that Lambdas are using their execution role that I am not yet understanding. Any ideas or help on this area would be appreciated.
{"Version": "2012-10-17","Statement": [ {"Effect": "Allow","Principal": {"AWS": "*" },"Action": "es:*","Resource": "arn:aws:es:eu-west-2:123456789:domain/domain-elktest/*" }, {"Effect": "Deny","NotPrincipal": {"AWS": ["arn:aws:iam::123456789:role/testelk-purge-elk-role" ] },"Action": "es:ESHttpDelete","Resource": "arn:aws:es:eu-west-2:123456789:domain/domain-elktest/*" } ]}The above, I think, should work. However, the error I get when I run the lambda is as follows:
Index logstash-2024.03.28 delete error Authorization Exception ::{"path":"/logstash-2024.03.28","query":{},"statusCode":403,"response":"{"Message":"User: arn:aws:sts::123456789:assumed-role/testelk-purge-elk-role/testelk-purge-elkis not authorized to perform: es:ESHttpDelete with an explicit deny ina resource-based policy"}"}