Controlling Access to Kibana Configuring Kibana to Use a WMS Map Server Connecting a Local Kibana Server to Amazon ES Additional Features

Kibana

Kibana is a popular open source visualization tool designed to work with Elasticsearch. Amazon ES provides an installation of Kibana with every Amazon ES domain. You can find a link to Kibana on your domain dashboard on the Amazon ES console. The URL is domain-endpoint/_plugin/kibana/. Queries using this default Kibana installation have a 300-second timeout.

The following sections address some common Kibana use cases:

Controlling Access to Kibana
Configuring Kibana to Use a WMS Map Server
Connecting a Local Kibana Server to Amazon ES

Controlling Access to Kibana

Kibana does not natively support IAM users and roles, but Amazon ES offers several solutions for controlling access to Kibana:

Enable SAML authentication for Kibana.
Use fine-grained access control with HTTP basic authentication.
Configure Amazon Cognito Authentication for Kibana.
For public access domains, configure an IP-based access policy, with or without a proxy server.
For VPC access domains, use an open access policy, with or without a proxy server, and security groups to control access. To learn more, see About Access Policies on VPC Domains.

Using a Proxy to Access Amazon ES from Kibana

Note

This process is only applicable if your domain uses public access and you don't want to use Amazon Cognito Authentication for Kibana. See Controlling Access to Kibana.

Because Kibana is a JavaScript application, requests originate from the user's IP address. IP-based access control might be impractical due to the sheer number of IP addresses you would need to allow in order for each user to have access to Kibana. One workaround is to place a proxy server between Kibana and Amazon ES. Then you can add an IP-based access policy that allows requests from only one IP address, the proxy's. The following diagram shows this configuration.

This is your Amazon ES domain. IAM provides authorized access to this domain. An additional, IP-based access policy provides access to the proxy server.
This is the proxy server, running on an Amazon EC2 instance.
Other applications can use the Signature Version 4 signing process to send authenticated requests to Amazon ES.
Kibana clients connect to your Amazon ES domain through the proxy.

To enable this sort of configuration, you need a resource-based policy that specifies roles and IP addresses. Here's a sample policy:


{
  "Version": "2012-10-17",
  "Statement": [{
      "Resource": "arn:aws:es:us-west-2:111111111111:domain/my-domain/*",
      "Principal": {
        "AWS": "arn:aws:iam::111111111111:role/allowedrole1"
      },
      "Action": [
        "es:ESHttpGet"
      ],
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "123.456.789.123"
          ]
        }
      },
      "Resource": "arn:aws:es:us-west-2:111111111111:domain/my-domain/*"
    }
  ]
}

We recommend that you configure the EC2 instance running the proxy server with an Elastic IP address. This way, you can replace the instance when necessary and still attach the same public IP address to it. To learn more, see Elastic IP Addresses in the Amazon EC2 User Guide for Linux Instances.

If you use a proxy server and Amazon Cognito Authentication for Kibana, you might need to add settings for Kibana and Amazon Cognito to avoid redirect_mismatch errors. See the following nginx.conf example:


server {
    listen 443;
    server_name $host;
    rewrite ^/$ https://$host/_plugin/kibana redirect;

    ssl_certificate           /etc/nginx/cert.crt;
    ssl_certificate_key       /etc/nginx/cert.key;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    location /_plugin/kibana {
        # Forward requests to Kibana
        proxy_pass https://$kibana_host/_plugin/kibana;

        # Handle redirects to Cognito
        proxy_redirect https://$cognito_host https://$host;

        # Update cookie domain and path
        proxy_cookie_domain $kibana_host $host;
        proxy_cookie_path / /_plugin/kibana/;

        # Response buffer settings
        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;
    }

    location ~ \/(log|sign|fav|forgot|change|saml|oauth2) {
        # Forward requests to Cognito
        proxy_pass https://$cognito_host;

        # Handle redirects to Kibana
        proxy_redirect https://$kibana_host https://$host;

        # Update cookie domain
        proxy_cookie_domain $cognito_host $host;
    }
}

Configuring Kibana to Use a WMS Map Server

The default installation of Kibana for Amazon ES includes a map service, except for domains in the India and China regions. The map service supports up to 10 zoom levels.

Regardless of your region, you can configure Kibana to use a different Web Map Service (WMS) server for coordinate map visualizations. Region map visualizations only support the default map service.

To configure Kibana to use a WMS map server:

Open Kibana.
Choose Management.
Choose Advanced Settings.
Locate visualization:tileMap:WMSdefaults.

Change enabled to true and url to the URL of a valid WMS map server:


{
  "enabled": true,
  "url": "wms-server-url",
  "options": {
    "format": "image/png",
    "transparent": true
  }
}

Choose Save.

To apply the new default value to visualizations, you might need to reload Kibana. If you have saved visualizations, choose Options after opening the visualization. Verify that WMS map server is enabled and WMS url contains your preferred map server, and then choose Apply changes.

Note

Map services often have licensing fees or restrictions. You are responsible for all such considerations on any map server that you specify. You might find the map services from the U.S. Geological Survey useful for testing.

Connecting a Local Kibana Server to Amazon ES

If you have invested significant time into configuring your own Kibana instance, you can use it instead of (or in addition to) the default Kibana instance that Amazon ES provides.

To connect a local Kibana server to Amazon ES:

Make the following changes to config/kibana.yml:


kibana.index: ".kibanalocal"
# Use elasticsearch.url for versions older than 6.6
# elasticsearch.url: "https://domain-endpoint:443"
# Use elasticsearch.hosts for versions 6.6 and later
elasticsearch.hosts: "https://domain-endpoint:443"

Older versions of Elasticsearch might only work over HTTP. In all cases, add the http or https prefix. For older versions, you must explicitly specify port 80 or 443. For newer versions, you can omit the port.

Additional Features

The default Kibana installation on each Amazon ES domain has some additional features compared to the open source version of Kibana:

User interfaces for the various Open Distro for Elasticsearch plugins
Tenants
Reports

Use the reports feature to generate on-demand CSV reports from the Discover page and PDF or PNG reports of dashboards or visualizations. Amazon ES does not support scheduled reports.
Gantt charts
Notebooks (experimental)

Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Learning to Rank

Managing Indices