Amazon Elastic Search 集群的正确访问策略 [英] Proper access policy for Amazon Elastic Search Cluster

问题描述

我最近开始使用新的 Amazon Elasticsearch Service，但似乎无法确定我需要的访问策略，因此我只能从分配了特定 IAM 角色的 EC2 实例访问服务.

I've recently started using the new Amazon Elasticsearch Service and I can't seem to figure out the access policy I need so that I can only access the services from my EC2 instances that have a specific IAM role assigned to them.

以下是我目前为 ES 域分配的访问策略示例:

Here's an example of the access policy I currently have assigned for the ES domain:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::[ACCOUNT_ID]:role/my_es_role",
        ]
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:[ACCOUNT_ID]:domain/[ES_DOMAIN]/*"
    }
  ]
}

但正如我所说，这行不通.我登录到 EC2 实例(附加了 my_es_role 角色)并尝试在https://*.es.amazonaws.com"端点上运行一个简单的 curl 调用，我得到以下错误:

But as I said, this doesn't work. I log into the EC2 instance (which has the my_es_role role attached to it) and attempt to run a simple curl call on the "https://*.es.amazonaws.com" end point, I get the following error:

{"Message":"User:anonymous is not Authorized to perform: es:ESHttpGet on resource: arn:aws:es:us-east-1:[ACCOUNT_ID]:domain/[ES_DOMAIN]/}

{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet on resource: arn:aws:es:us-east-1:[ACCOUNT_ID]:domain/[ES_DOMAIN]/"}

有谁知道我必须在访问策略中更改什么才能使其正常工作?

Does anyone know what I have to change in the access policy in order for this to work?

推荐答案

您可以锁定仅限 IAM 的访问权限，但是您将如何在浏览器中查看 Kibana?您可以设置代理(参见要点和/或NPM 模块)或启用 IAM 和基于 IP 的访问以查看结果.

You can lock access down to IAM-only, but how will you view Kibana in your browser? You could setup a proxy (see Gist and/or NPM module) or enable both IAM and IP-based access for viewing results.

我能够使用以下访问策略获得 IAM 访问 IP 限制的访问权限.请注意，顺序很重要:我无法在 IAM 语句之前使用基于 IP 的语句使其正常工作.

I was able to get both IAM access IP-restricted access with the following Access Policy. Note the order is important: I could not get it working with the IP-based statement before the IAM statement.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::xxxxxxxxxxxx:root"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-west-2:xxxxxxxxxxxx:domain/my-elasticsearch-domain/*"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-west-2:xxxxxxxxxxxx:domain/my-elasticsearch-domain/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "192.168.1.0",
            "192.168.1.1"
          ]
        }
      }
    }
  ]
}

我的 EC2 实例有一个实例配置文件，其中包含arn:aws:iam::aws:policy/AmazonESFullAccess政策.Logstash 应使用 logstash-output-amazon-es 输出插件签署请求.在我的 EC2 实例上运行的 Logstash 包含如下输出部分:

My EC2 instance has an instance profile with the arn:aws:iam::aws:policy/AmazonESFullAccess policy. Logstash should sign requests using the logstash-output-amazon-es output plugin. Logstash running on my EC2 instance includes an output section like this:

output {
    amazon_es {
        hosts => ["ELASTICSEARCH_HOST"]
        region => "AWS_REGION"
    }
    # If you need to do some testing & debugging, uncomment this line:
    # stdout { codec => rubydebug }
}

我可以从访问策略中的两个 IP(192.168.1.0 和 192.168.1.1)访问 Kibana.

I can access Kibana from the two IPs in the access policy (192.168.1.0 and 192.168.1.1).

这篇关于Amazon Elastic Search 集群的正确访问策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！