diff --git a/provider/indexer-aws/CloudFormation/Automated/elasticsearch.yml b/provider/indexer-aws/CloudFormation/Automated/elasticsearch.yml
index 96c58e04285c946e661eea6715d5178f141010ca..1d4b2c107b888cbf99e5bb0a679c0df3dc2ba6e2 100644
--- a/provider/indexer-aws/CloudFormation/Automated/elasticsearch.yml
+++ b/provider/indexer-aws/CloudFormation/Automated/elasticsearch.yml
@@ -192,6 +192,7 @@ Resources:
                 - !Sub arn:aws:iam::${AWS::AccountId}:root
                 - Fn::ImportValue:
                     !Sub "${Environment}-IndexerServiceIamUserArn"
+                - "arn:aws:iam::888733619319:role/Cognito_osduelasticsearchAuth_Role"
             Action: "es:*"
             Resource: !Sub arn:aws:es:us-east-1:846973539254:domain/${Environment}-${ElasticsearchDomainName}/*
       AdvancedOptions:
diff --git a/provider/indexer-aws/CloudFormation/Automated/iam-credentials.yml b/provider/indexer-aws/CloudFormation/Automated/iam-credentials.yml
index cd20ec48f453dcb4e73b771b0105111d8c426283..c17e86996fcd08221bb34724713ba9fb8bcfa644 100644
--- a/provider/indexer-aws/CloudFormation/Automated/iam-credentials.yml
+++ b/provider/indexer-aws/CloudFormation/Automated/iam-credentials.yml
@@ -65,6 +65,8 @@ Resources:
                   - 'logs:*'
                   - 'cloudwatch:*'
                   - 'es:*'
+                  - 'cognito-identity:*'
+                  - 'cognito-idp:*'
                 Effect: Allow
                 Resource: '*'
       UserName: !Sub ${Environment}-${IndexerServiceIamUsername}