AWS Cognito Authentication for Kibana
Access control is a security technique that can be used to regulate the user/system access to the resources in a computing environment. Role-Based Access Control (RBAC) is one such access control technique in which you can assign specific roles to persons in an organization to access computing resources. In this scenario, you must give access to your Kibana endpoint only to a specific set of people. In AWS this can be achieved using an access control service known as AWS Cognito.
Too much information to digest isn’t it ?! At this point, It seems to be unfair not to describe a little bit about the services used in these whole process, so let’s get started.
AWS Cognito:
Cognito is a simple, secure and highly scalable access control service from AWS. Cognito lets you add user sign-up, sign-in, access control to both your mobile and web application. It also lets you sign-in via social identity providers such as Google, Facebook, and Amazon, and supports SAML 2.0 based enterprise identity providers. To know more about the service please visit here.
AWS Elasticsearch:
AWS Elasticsearch service is a fully managed, scalable Elasticsearch service from AWS. Elasticsearch can be used for log analytics, text search, application monitoring, etc. Being a fully managed service it is easy to deploy, scale and operate. It has built-in integration for Kibana, Logstash and other AWS services such as VPC, Lambda etc. To know more about the service please visit here.
Kibana:
Kibana is an open-source visualization tool that tightly integrates with Elasticsearch. It can be used for visualizing, analyzing and exploring your real-time data. In AWS, Kibana is integrated with Elasticsearch and an endpoint will be generated automatically when you create an Elasticsearch cluster. To know more about Kibana please visit here.
Coming back to the point, in this blog we are trying to integrate Cognito authentication for Kibana. In AWS, the Elasticsearch service is tightly integrated with Kibana, which means when you spin up an Elasticsearch cluster you will also get an endpoint for Kibana. For this process, you should have created and configured an Elasticsearch cluster. It will look something similar to the image shown below.
If you have not already done this step, please visit the AWS documentation here.
Configuring AWS Cognito
User pool
The user pool is the user directory for AWS Cognito. For users to sign in to your web/mobile application user pool is where the user data is stored. Users can also sign up using social identity providers like Facebook, Google, Amazon etc.
To set up user pool:
1. Login to your AWS console.
2. Go to Security, Identity and Compliance, and select Cognito. You will be greeted by this screen,
3. Click on Manage your user pool.
4. Once logged you will be able to see your existing user pools if any. To create a new user pool, click on create a user pool.
5. In the next screen, give a user pool name. Either you can skip through the settings or review defaults. Make sure you create an App client, you will be needing this later. To know more on the app client please visit the documentation here. Don’t worry, you can always edit these settings later except for your username, so make it meaningful.
6. Once user pool creation is done. Open up the user pool and in the left-hand side go to domains. Create a domain name of your choice.
7. Once all these steps are completed you can start adding users from the ‘Users and Groups’ tab.
Identity pool
Identity pool is where the AWS credentials are stored for both the guest and authenticated users. To know more about the identity pool please visit the documentation here.
To set up an identity pool:
- Access Cognito.
2. Click on Manage Federated Identities, and you will be greeted by the following screen. Here, click on Create new Identity Pool.
3. Give a name for your identity pool. Now we have to add the authentication providers here. Since we are using Cognito for authentication copy and paste the user pool id and App client id from the user pool configurations. Once copied click on create pool.
4. To help you from restricting end-users from accessing your AWS resources Cognito integrates with IAM. So in the next step click allow to create the new roles for Cognito and finish the identity pool creation.
5. Once all these steps are completed you will see this screen.
Integrating with Elasticsearch
Now that you have created both the user pool and identity pool, it’s time to enable Kibana authentication in our elastic search cluster.
To set up the authentication:
- Go to your AWS console, under analytics click on Elasticsearch service. Click on your domain.
2. Now click on the configure cluster option from the top right.
3. In the cluster, settings go to Kibana authentication, enable the checkmark and from the dropdown select your user pool, identity pool and click submit. This will take some time to process.
4. Once completed got to the modify access policy option and select a template based on your requirements. In this tutorial, I’m using the second option “Allow access for one or more AWS accounts or IAM users”. Keep the effect as “Allow” enter your account ID click ok and submit to apply your change. You can skip this step if its already done during the process of cluster creation.
5. Now go into your elastic search domain and click on the Kibana endpoint, if all the steps are done correctly you will get the Cognito authentication interface as shown below.
Now it is easy for the administrators to define access to users. When a user wants to have access to Kibana, the administrator can create a new user in the user pool and send the credentials directly via an e-mail or phone from the console itself. While creating a user pool administrator can also set an expiration date for the users, if not used within a certain time.
As a side note, Elasticsearch version 5.5 is used in this process. Similarly, the Instance size used is t2.small.
This Blog has been moved from Medium to blogs.tensult.com. All the latest content will be available there. Subscribe to our newsletter to stay updated.
