Amazon Elasticsearch

Overview

This guide outlines the configuration steps for adding Amazon OpenSearch/Elasticsearch as a resource in the StrongDM using access keys.

When the resource is added, StrongDM proxies client connections through a node (gateway, relay, or proxy cluster). This enables centralized access control, credential management, and audit logging.

Amazon Elasticsearch and Amazon OpenSearch are both supported by StrongDM via this datasource type. We support the following combinations:

• Elasticsearch domain with Elasticsearch cluster

• OpenSearch domain with Elasticsearch cluster

• OpenSearch domain with OpenSearch cluster

To use IAM rather than access keys, see the Amazon ES (IAM) page.

To add the resource to StrongDM, you will need the database hostname, port, and a valid set of credentials. Optionally, you can store these credentials in a supported secrets manager and reference them from within StrongDM. The resource's server must be reachable from the selected StrongDM node and configured to accept connections from that node’s IP or network.

Use this guide to complete all necessary preparations to add this resource to your StrongDM environment; input the correct properties in the Admin UI, CLI, SDKs, or Terraform provider; and test for a successful connection. When done, you will be able to use the StrongDM Desktop application or CLI to connect to Amazon OpenSearch/Elasticsearch.

For general information about how to add a database as a resource in StrongDM, see our main guide, Add a Datasource.

Supported Versions and Clients

StrongDM supports Amazon Elasticsearch and Amazon OpenSearch clusters that are accessible using AWS access keys (Access Key ID and Secret Access Key).

Clients should use standard Elasticsearch and OpenSearch protocols over HTTPS (for example, RESTful APIs via curl, Postman, or SDKs).

Note that some legacy Amazon Elasticsearch service versions may have authentication or networking constraints. Ensure your cluster supports access key–based authentication and HTTPS connections before adding it to StrongDM.

Prerequisites

To add your Amazon Elasticsearch or OpenSearch resource in StrongDM using access keys, make sure the following requirements are met.

In StrongDM, you must have the following:

• Administrator permission level

• At least one operational StrongDM node (gateway, relay, or proxy cluster) deployed in a location that can reach the Elasticsearch/OpenSearch endpoint

• Valid set of AWS access key credentials (Access Key ID and Secret Access Key) that have permissions to the domain.

• If using secrets management tools for storing your credentials, a Secret Store configured in StrongDM

On the AWS side, you must have the following:

• Elasticsearch or OpenSearch domain that is configured to accept access key–based authentication

• AWS user account with an access key and secret key that has permissions to the domain. At minimum, permissions should include actions like es:ESHttpGet and es:ESHttpPost, as appropriate for your workloads.

• Network accessibility: ensure security groups, VPC settings, and access policies allow StrongDM nodes to connect

Resource Management in StrongDM

After all prerequisites and prep work is done, you are ready to add the resource to StrongDM. This section provides instructions for adding the resource in either the StrongDM Admin UI, CLI, Terraform provider, or SDKs.

# Add Amazon Elasticsearch datasource
sdm admin datasources add amazones my-es-access-keys
  --endpoint="search-prod-domain.us-west-2.es.amazonaws.com"
  --region="us-west-2"
  --port="443"
  --access-key="AKIAEXAMPLE"
  --secret-key="secretKeyExample123"
  --bind-interface="127.0.0.1"
  --egress-filter="tag:environment=prod"
  --port-override="-1"
  --proxy-cluster-id="n-1a2b345c67890123"
  --secret-store-id="se-e1b2"
  --subdomain="es-prod"
  --tags="env=production,team=search"
  --tls-required

# Install StrongDM provider
terraform {
  required_providers {
    sdm = {
      source  = "strongdm/sdm"
      version = "5.1.0"
    }
  }
}

# Configure StrongDM provider
provider "sdm" {
  # Add API access key and secret key from Admin UI
  api_access_key = "njjSn...5hM"
  api_secret_key = "ziG...="
}

# Create Amazon ES (Access Keys) resource
resource "sdm_amazones" "es_prod" {
  name       = "es-access-keys-prod"
  endpoint   = "search-prod-domain.us-west-2.es.amazonaws.com"
  region     = "us-west-2"
  port       = 443

  # Access keys
  access_key = "AKIAEXAMPLE"
  secret_key = "secretKeyExample123"

  # Networking / node routing
  bind_interface   = "127.0.0.1"
  egress_filter    = "tag:environment=prod"
  port_override    = 12345
  proxy_cluster_id = "n-1a2b345c67890123"

  # Secrets / metadata
  secret_store_id  = "se-e1b2"
  subdomain        = "es-prod"
  tags = {
    env    = "production"
    team   = "search"
    region = "west"
  }

  # TLS (recommended)
  tls_required = true
  # Optional certificate pinning / client auth (include only if needed)
  # ca_cert     = file("ca.crt")
  # client_cert = file("client.crt")
  # client_key  = file("client.key")
}

Configuration Properties

The following configuration properties are required to define an Amazon Elasticsearch datasource in StrongDM. These settings control how StrongDM connects to the resource, authenticates the connection, and optionally uses encryption or secret management. Each property must be correctly configured to ensure connectivity and access enforcement through StrongDM.

Secret Store Options

By default, datasource credentials are stored in StrongDM. However, these credentials can also be saved in a secrets management tool.

Non-StrongDM options appear in the Secret Store dropdown if they are created under Settings > Secrets Management > Secret Stores. When you select another Secret Store type, its unique properties display. For more details, see Configure Secret Store Integrations.

Resource Status

After a resource is created, the Admin UI displays that resource as unhealthy until the healthchecks run successfully. When the resource is ready, the Health icon indicates a positive, green status.

When the resource does not display a positive status, click the resource name to go to the Diagnostics tab and check for errors.

Test the Connection

After you have added your resource in StrongDM, follow these steps to verify that it’s working correctly.

1. Assign yourself access by ensuring that your user or role has access to the resource. In the StrongDM Admin UI, go to Access > Roles, and verify that the resource is attached to a role you’re in.

2. In the CLI, run sdm status to list the available datasources. Ensure that the Amazon Elasticsearch resource appears in your list of accessible datasources.

3. Start a session to the resource, as in the following example:

   Copy

   sdm connect es-access-keys-prod

   This prepares your environment to route traffic securely through StrongDM to the Elasticsearch/OpenSearch domain. See the CLI Reference documentation for details on sdm connect.

4. Use your preferred client (for example, curl, Postman, or an Elasticsearch/OpenSearch tool) to request cluster health. If you configured a Subdomain (for example, es-prod), you can use it directly; otherwise, use the endpoint you entered in the resource.

   Copy

   # If using the StrongDM subdomain:
   curl -s https://es-prod.<ORGANIZATION>.sdm.network/_cluster/health | jq .
   
   # Example if using the AWS domain you configured:
   curl -s https://search-prod-domain.us-west-2.es.amazonaws.com/_cluster/health | jq .

   You should receive a JSON response showing cluster status. This confirms both connectivity and authentication using your access keys.

5. In the StrongDM Admin UI, check Logs > Queries (and Logs > Connections) to verify your session and API requests were captured.

6. If you set TLS required on the resource, confirm that the connection negotiates TLS successfully. Mismatched certificate authority or client certs or hostname issues will surface as handshake errors.

When these steps succeed, you’re ready to connect to your resource through StrongDM.

Help

If you encounter issues, please consult the StrongDM Help Center.

Be prepared to provide the following information to StrongDM Support, so that they can inspect logs and confirm node and resource health:

• Resource name or ID

• CLI error output or logs

• Node name and region

• Timestamps of failed attempts