AWS访问策略,允许从IP地址或IAM用户进行访问

时间:2017-08-28 10:57:55

标签: amazon-web-services

我正在使用AWS Elasticsearch,我需要设置一个访问策略,允许从固定IP访问Kibana和Web界面。我还想允许特定的用户访问密钥能够从任何IP访问它,因为记录将从我们的服务器中插入。

因此,归结为制定一项政策,我需要在orIP之间建立ARN关系。

以下是我的IP政策的样子:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-west-2:xxxxxx:domain/xxxx-xxxx-xxx/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "xxx.xx.xx.173"
        }
      }
    }
  ]
}

以下是我的ARN政策的样子:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::xxxxxxxxx:user/xxxx"
        ]
      },
      "Action": [
        "es:*"
      ],
      "Resource": "arn:aws:es:us-west-2:xxxxxxxxx:domain/xxxxxxxxxxxxxxxx/*"
    }
  ]
}

我如何获得它们之间的关系?

1 个答案:

答案 0 :(得分:1)

如果我正确理解您的问题,您应该能够通过将两个语句对象添加到statement数组中来实现您想要的目标,如:

 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-west-2:xxxxxx:domain/xxxx-xxxx-xxx/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "xxx.xx.xx.173"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::xxxxxxxxx:user/xxxx"
        ]
      },
      "Action": [
        "es:*"
      ],
      "Resource": "arn:aws:es:us-west-2:xxxxxxxxx:domain/xxxxxxxxxxxxxxxx/*"
    }
  ]
}