The Creating and Configuring Amazon Elasticsearch Service Domains documentation shows the Elasticsearch HTTP methods could be controlled using IAM policies:
Amazon ES supports the following actions for HTTP methods. You can attach a separate access policy to each HTTP method:
Since this is an open source interface and not an Amazon solution, it may be initially confusing to understand how this could work. The aws-sdk-java/AWSElasticsearchClient.java source in GitHub shows an AWSCredentialsProvider implementing the Signature Version 4 Signing Process on the HTTP requests. Unfortunately, this means not all Elasticsearch Clients will be compatible with this security configuration.