[luhn]

The IAM authentication is really annoying. It's not supported by many client libraries, nor have I found an easy way to make arbitrary HTTP calls with signature v4.

The only other options are completely public or IP-based whitelist, the latter which is untenable in most cloud environments.

[ecnahc515]

You can also use a signing proxy.

[luhn]

I wasn't aware of that option. I'll look into it.

[Leon]

A simple solution in this vein is to white list your the EIP addresses of your NAT. This would give access to all resources in a private subnet (this is useful for Lambda's running in subnets).

[Sir_Substance]

>nor have I found an easy way to make arbitrary HTTP calls with signature v4.

https://github.com/okigan/awscurl

[okigan]

Yep, that's precisely why I made awscurl "easy way to make calls to AWS".

I can be easily tested with AWS Elasticsearch.

[Sir_Substance]

It's a great tool man, I use it tonnes, thanks for making it!