AWS Security Blog

Amazon CloudSearch: Now with More Granular Access Control for Domains

Yesterday, Amazon CloudSearch released a new version that is fully integrated with AWS Identity and Access management (IAM) and enables you to control access to a domain’s document and search services. Jon Handler, an AWS Solution Architect who specializes in search, describes the new features.


In March, we released a new Amazon CloudSearch API that supports 34 languages as well as popular search features such as highlighting, autocomplete, and geospatial search. From a security perspective, one of the most exciting things about the Amazon CloudSearch 2013-01-01 API is that it provides better integration with IAM for the CloudSearch configuration API. Instead of granting users all-or-nothing access to the CloudSearch configuration service, you can grant more granular permissions so you can control access to specific configuration actions, such as creating and managing domains, managing domain resources, setting indexing options, and configuring domain services.

Now, we’ve further enhanced CloudSearch to support full IAM integration for all CloudSearch actions. You can use IAM to control access not just to the CloudSearch configuration service, but also to a domain’s document, search, and suggest services. You have control over which users are allowed to upload documents, submit search requests, and get suggestions.

In this post, I’ll discuss some use cases for granting access to Amazon CloudSearch using IAM.

About Amazon CloudSearch

Amazon CloudSearch is a fully managed search service in the cloud that makes it easy to set up, operate, and scale a search solution for your website or application. Unlike a web search engine, Amazon CloudSearch enables you to build a search solution for any type of data, such as product information, document files, user-supplied data, or a collection of web pages. To use CloudSearch, you create search documents that contain the data you want to search, create and configure a CloudSearch domain, and then upload your search documents to your domain. You can then submit search requests to the domain to find the documents that match particular criteria.

A CloudSearch domain encapsulates all of the software and hardware needed to operate a search engine. CloudSearch manages hosts for you in Amazon EC2 and scales your fleet to accommodate the volume of data and search traffic you send to your search domain. For more about Amazon CloudSearch, visit the CloudSearch detail page.

Access Control with the New CloudSearch API

You control access to CloudSearch using IAM access policies, which enable you to restrict access to particular domains and actions. Access to the CloudSearch configuration service and to each domain’s document, search, and suggest services can be set up independently. You control which search domain a policy applies to using an Amazon Resource Name (ARN) that uses the following format:

arn:aws:cloudsearch:<REGION>:<ACCOUNT-ID>:domain/<DOMAIN-NAME>

The service name in the ARN is cloudsearch, the region specifies the region in which the domain resides (you can use * to indicate all regions), and the resource specifies the name of the search domain. For example, the following ARN identifies a domain called imdb-movies in the us-west-1 region.

arn:aws:cloudsearch:us-west-1:111122223333:domain/imdb-movies

Configuring Access for Different Types of Users

Within your policy, you specify which API actions the policy applies to. Let’s take a look at how you might use the new permissions to configure access for four types of users within your organization:

  • Administrators, who are responsible for creating, configuring, and managing one or more of your organization’s search domains.
  • Operators, who are responsible for the day-to-day monitoring and management of one or more domains, but should not be able to delete them or reconfigure indexing options.
  • Developers, who are responsible for all aspects of their development and test domains and occasionally need to monitor and manage production domains.
  • Business owners, who are responsible for tuning a domain’s search results to satisfy business requirements.

The best approach to configuring access for the four types of users is to create an IAM group for each type of user and attach a policy to each group. The policy for the group grants only the permissions that are appropriate for that user type. You can then create individual IAM users for people in your organization and add them to the group (or groups) that define that person’s responsibilities.

The following examples describe these types of users in a little more detail and show sample IAM policies for each group.

Administrators

Administrators need to be able to control all aspects of one or more search domains. To grant access to all actions on those domains, you specify cloudsearch:* as the action in the administrator access policy. By listing a domain in the Resource element, you can restrict access to specific domains; alternatively, you can use a wildcard (*) to allow access to all domains. The following policy shows how to grant universal access to all domains owned by account 111122223333.

{
    "Version":"2012-10-17",   
    "Statement": [
    {         
        "Effect": "Allow",
        "Action": ["cloudsearch:*"],
        "Resource":
            "arn:aws:cloudsearch:*:111122223333:domain/*"
    }]
}

Operators

Operators need access to the actions that enable them to monitor the domains they are responsible for and keep them running. Here’s a list of tasks and the corresponding CloudSearch actions that operators need access to:

  • View domain information: DescribeDomains, ListDomainNames.
  • View and update access policies: DescribeServiceAccessPolicies, UpdateServiceAccessPolicies.
  • View and update availability and scaling options: DescribeAvailabilityOptions, UpdateAvailabilityOptions, DescribeScalingParameters, UpdateScalingParameters.
  • Rebuild the search index: IndexDocuments.

However, operators shouldn’t be able to delete a domain or modify the domain’s index configuration, which could take down the search service for your site or application. They also have no need to create new domains or submit upload, search, or suggest requests to a domain.

It’s also a good practice to restrict operators’ access to the domains for which they are responsible. The following example shows a policy for an operator that grants access to appropriate actions and that also restricts the operator to working in the prod-imdb domain owned by account 111122223333.

{
    "Version":"2012-10-17",   
    "Statement": [
    {
        "Effect": "Allow",         
        "Action": ["cloudsearch:DescribeDomains",
                   "cloudsearch:ListDomainNames",
                   "cloudsearch:IndexDocuments",
                   "cloudsearch:DescribeAvailabilityOptions",
                   "cloudsearch:DescribeScalingParameters",
                   "cloudsearch:DescribeServiceAccessPolicies",
                   "cloudsearch:UpdateAvailabilityOptions",
                   "cloudsearch:UpdateScalingParameters",
                   "cloudsearch:UpdateServiceAccessPolicies"
                  ],
        "Resource":
            "arn:aws:cloudsearch:*:111122223333:domain/prod-imdb"
    }]
}

Developers

Developers need to be able to manage and interact with their development and test domains, and they might also need operator access to production domains. Unlike operators, developers need to be able to upload documents and submit search and suggest requests to their domains for testing purposes.

The following example grants a developer universal access to all domains for account 111122223333 that begin with dev-, sandbox-, or qa-, such as dev-imdb, sandbox-imdb, and qa-imdb in the us-east-1 region. In addition, it grants operator-level access to the prod-imdb domain. To specify permissions for different domains, you use multiple policy statements.

{
    "Version":"2012-10-17",   
    "Statement": [
    {
        "Effect": "Allow",
        "Action": ["cloudsearch:*"],
        "Resource":
            "arn:aws:cloudsearch:us-east-1:111122223333:domain/dev-*"
    },
    {
        "Effect": "Allow",
        "Action": ["cloudsearch:*"],
        "Resource":
            "arn:aws:cloudsearch:us-east-1:111122223333:domain/sandbox-*"
    },
    {
        "Effect": "Allow",
        "Action": ["cloudsearch:*"],
        "Resource":
            "arn:aws:cloudsearch:us-east-1:111122223333:domain/qa-*"
    },
    {
        "Effect": "Allow",         
        "Action": ["cloudsearch:DescribeDomains",
                   "cloudsearch:ListDomainNames",
                   "cloudsearch:DescribeAvailabilityOptions",
                   "cloudsearch:IndexDocuments",
                   "cloudsearch:DescribeScalingParameters",
                   "cloudsearch:DescribeServiceAccessPolicies",
                   "cloudsearch:UpdateAvailabilityOptions",
                   "cloudsearch:UpdateScalingParameters",
                   "cloudsearch:UpdateServiceAccessPolicies"
                  ],
        "Resource":
            "arn:aws:cloudsearch:*:111122223333:domain/prod-imdb"
    }]
}

Business Owners

Finally, business owners are interested only in tuning search results. To do that, they need to be able to access the CloudSearch console and make changes to the rank expressions that control how the results are sorted. They also need to be able to re-index the domain and submit sample search requests. They shouldn’t be able to make any other changes to the domain configuration or delete the domain, and they have no need to upload documents.

Business owners need the following access:

  • Work in the console: DescribeDomains, ListDomainNames.
  • View and update expressions: DescribeExpressions, DefineExpression.
  • Update a domain’s index to reflect changes: IndexDocuments.
  • Submit search requests: search.

The following policy grants these permissions for the sandbox-imdb and prod-imdb domains. As in the earlier examples, granting permissions for access to multiple domains requires multiple statements.

{
    "Version":"2012-10-17",   
    "Statement": [
    {
        "Effect": "Allow",
        "Action": ["cloudsearch:DescribeDomains",
                   "cloudsearch:ListDomainNames",
                   "cloudsearch:DefineExpression",
                   "cloudsearch:DescribeExpressions",
                   "cloudsearch:IndexDocuments",
                   "cloudsearch:search"
                  ],
        "Resource":
            "arn:aws:cloudsearch:*:111122223333:domain/sandbox-imdb"
    },
    {
        "Effect": "Allow",
        "Action": ["cloudsearch:DescribeDomains",
                   "cloudsearch:ListDomainNames",
                   "cloudsearch:DefineExpression",
                   "cloudsearch:DescribeExpressions",
                   "cloudsearch:IndexDocuments",
                   "cloudsearch:search"                 
                  ],
        "Resource":
            "arn:aws:cloudsearch:*:111122223333:domain/prod-imdb"    
    }]
}

Configuring Access for Applications

In a production environment, requests to perform document upload, search, and suggest actions are submitted programmatically. Generally, the application that prepares and uploads data to a domain is separate from the one that sends search or suggest requests. There’s no need for the document application to submit configuration or search requests, or for your web application to submit configuration or upload requests.

For example, the following policy grants access only to the document upload action for the prod-imdb domain.

{
    "Version":"2012-10-17",7
    "Statement": [
    {
        "Effect": "Allow",
        "Action": ["cloudsearch:document"],
        "Resource":
            "arn:aws:cloudsearch:*:111122223333:domain/prod-imdb"
    }]
}

Similarly, the following policy grants access only to the search and suggest actions. This policy would be suitable for a web application that provides a way for users to search documents.

{
    "Version":"2012-10-17",   
    "Statement": [
    {
        "Effect": "Allow",
        "Action": ["cloudsearch:search",
                   "cloudsearch:suggest"
                  ],
        "Resource":
            "arn:aws:cloudsearch:*:111122223333:domain/prod-imdb"
    }]
}

Using Roles

When users access Amazon CloudSearch as IAM users, they use long-term credentials. CloudSearch also supports temporary security credentials, meaning it supports the use of IAM roles. To provide credentials to applications running in Amazon EC2, a security best practice is to use IAM roles. You can also use roles for cross-account access and federation.

In Summary

You now have the ability to control which Amazon CloudSearch actions your users can perform. For example, you might want to restrict access to the DeleteDomain action to specific administrators in order to protect your production domains from being accidentally deleted. Different permissions can be configured for each of your domains, enabling you to set different policies for different types of domains as well as different users.

We encourage you to start using IAM policies to control access to domain services. For more information, see Configuring Access for Amazon CloudSearch in the Amazon CloudSearch Developer Guide. If you have questions or comments about configuring access for your domains, post them to the Amazon CloudSearch forum—we’d love to hear from you!

-Jon