我想通过定义Access Policies
来限制对aws上我的Elasticsearch集群的访问,这将限制对iam用户,特定的lambda函数和appsync api的访问。
我已经在cloudsearch的elasticsearch资源中定义了以下access policies
,但这失败了,并显示了一个错误:Service: AWSElasticsearch; Status Code: 409; Error Code: InvalidTypeException;
如何修改我的政策,使其生效?
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
{
"Fn::Join": [
"",
[
"arn:aws:lambda:",
{"Ref": "AWS::Region"},
":",
{"Ref": "AWS::AccountId"},
":function:",
{"Ref": "DdEsLambdaFunctionName"},
"-",
{"Ref": "env"}
]
]
},
{
"Fn::Join": [
"",
[
{"Ref": "GraphQLAPI"},
"/*"
]
]
}
]
},
"Action": [
"es:ESHttp*"
]
},
{
"Effect": "Allow",
"Principal": [
{
"AWS": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{"Ref": "AWS::AccountId"},
":user/*"
]
]
}
}
],
"Action": "*"
}
]
},...}
答案 0 :(得分:0)
不确定这是否是核心问题,但您的第一个Principal
错误。
您指定了Service
,但您提供了lambda ARN。 ARN的类型为AWS
,而不是Service
。可能GraphQLAPI
也是ARN,它又不是Service
委托人,而是AWS
委托人。