I'm trying to setup AWS OpenSearch(AWS version of ElasticSearch) and access its dashboard through API Gateway. In this way, I think I can enforce authentication in API Gateway level, and make sure the dashboard is only accessible from API Gateway using resource based policy or IP based policy with proxy ec2.
I'm posting this question to check if this makes any sense before starting the setup works. Has anyone have configured OpenSearch in this way? Do you see any potential problem?
Thanks,
API Gateway will kill your request after 29 seconds -> if you have large requests, this will end in an timeout.
Using SAML or Cognito (probably with an additional Lambda trigger) will let you integrate the authentication if you have an central directory like OIDC. Using the integrated authentication will also work, if you are able to set up your users within OpenSearch itself.
Instead of using API Gateway, set your OpenSearch as non-VPC and add the resource policy for IP ranges. This will also bring you a more secure installation.
On my side, we are using Opensearch with Cognito (OIDC integration) and some further Lambdas to be able to do also Authorization (not only Authentication). Additional we set up an IP based policy to be able to only reach Dashboard from specific IP addresses (we know because of VPN and DirectConnect).