AWS Elasticsearch Service IAM Role Based Access Policy
Answer : When using IAM service with AWS, you must sign your requests. curl doesn't support signed requests (which consists of hashing the request and adding a parameter to the header of the request). You can use one of their SDK's that has the signing algorithm built in, and then submit that request. See: http://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/what-is-amazon-elasticsearch-service.html#signing-requests You can find the SDKs for popular languages here: http://aws.amazon.com/tools/ First, you said you can't login to an EC2 instance to curl the ES instance? You can't login? Or you can't curl it from EC2? I have my Elasticsearch (Service) instance open to the world (with nothing on it) and am able to curl it just fine, without signing. I changed the access policy to test, but unfortunately it takes forever to come back up after changing it... My policy looks like this: { "Version": "2012-10-17", ...