向AWS Elasticsearch Service添加多个域访问策略(静态IP和Lambda ARN)

时间:2016-09-01 08:30:03

标签: amazon-web-services elasticsearch aws-lambda amazon-elasticsearch aws-access-policy

在设置AWS Elasticsearch之后,我在静态IP服务器上安装了Logstash和Kibana代理,并在ES上添加了此域访问策略,并且它正常工作:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "192.192.192.192"
          ]
        }
      }
    }
  ]
}

现在我需要允许Lambda函数在AWS ES上执行es:ESHttpDelete操作,因此我创建了具有现有角色service-role/Elasticsearch的函数,然后将相关ARN从IAM管理控制台复制到将其添加到AWS ES访问策略中,以提出:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam:: 323137313233:role/service-role/Elasticsearch"
        ]
      },
      "Action": [
        "es:*"
      ],
      "Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*"
    }
  ]
}

问题在于ES我应该为静态IP或ARN选择域访问策略,但不能同时选择两者。当我尝试手动合并它们而不是使用控制台时,它没有工作。我检查了AWS文档,但他们没有提到是否可能。

1 个答案:

答案 0 :(得分:2)

您可以使用JSON格式的策略在Statement数组中添加多个策略语句。所以,你的最终政策将是:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "192.192.192.192"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam:: 323137313233:role/service-role/Elasticsearch"
        ]
      },
      "Action": [
        "es:*"
      ],
      "Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*"
    }
  ]
}