Add AWS Cognito to Elastic Cloud hosted Elasticsearch and self-hosted Kibana

I am very new to Elastic Stack. So, please forgive my ignorance.

I am using version 7.4

What I want to achieve is,

  1. Integrate AWS cognito to kibana. Cognito user-pool has two user groups. Admin and User
  2. When a user signs up, he is assigned "User" role. An index is created in Elasticsearch and the user can only see data from that index.
  3. When a user logs in, he gets superuser permission if he is Admin group in cognito. Otherwise he gets read only permission

What should be my approach to achieve this? Please describe a little bit so that a noob like me can understand better.

If by "integrate" you mean "use AWS Cognito to authenticate to the Elastic Stack" then you should start by reading about OpenID Connect and see our guide on how to configure OpenID Connect with the Elastic Stack in https://www.elastic.co/guide/en/elasticsearch/reference/7.4/oidc-guide-authentication.html

The first part happens in Cognito so I guess you need to define a default configuration so that all new users end up in the User group in Cognito. For the second part there is no out of the box solution as far as I know, you would have to come up with something yourself.

This is something you can set up quite easily with templated role mappings. You would need

  1. one role per index which would give read permission to that index, see https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-put-role.html
  2. A templated role mapping that would give each user the necessary role based on their username ( which is also the index name as above ) , see https://www.elastic.co/guide/en/elasticsearch/reference/7.4/security-api-put-role-mapping.html for more details.

Create an extra role mapping that would map the Admin group value to a superuser role in Elasticsearch, see https://www.elastic.co/guide/en/elasticsearch/reference/7.4/oidc-role-mapping.html for more details.

I would also like to point out that the 1 index per user approach is not the only applicable one for authorization, you can and should look into Document Level Security and Field Level Security that might allow you more granular control without creating new indices for each of your users.

Hope this helps as a starting point

Thanks a lot for such a detail answer. I will seek further help if needed. :slight_smile: