Amazon Elastic Search 集群的正确访问策略 [英] Proper access policy for Amazon Elastic Search Cluster
问题描述
我最近开始使用新的 Amazon Elasticsearch Service,但似乎无法确定我需要的访问策略,因此我只能从分配了特定 IAM 角色的 EC2 实例访问服务.
I've recently started using the new Amazon Elasticsearch Service and I can't seem to figure out the access policy I need so that I can only access the services from my EC2 instances that have a specific IAM role assigned to them.
以下是我目前为 ES 域分配的访问策略示例:
Here's an example of the access policy I currently have assigned for the ES domain:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::[ACCOUNT_ID]:role/my_es_role",
]
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:[ACCOUNT_ID]:domain/[ES_DOMAIN]/*"
}
]
}
但正如我所说,这行不通.我登录到 EC2 实例(附加了 my_es_role
角色)并尝试在https://*.es.amazonaws.com"端点上运行一个简单的 curl 调用,我得到以下错误:
But as I said, this doesn't work. I log into the EC2 instance (which has the my_es_role
role attached to it) and attempt to run a simple curl call on the "https://*.es.amazonaws.com" end point, I get the following error:
{"Message":"User:anonymous is not Authorized to perform: es:ESHttpGet on resource: arn:aws:es:us-east-1:[ACCOUNT_ID]:domain/[ES_DOMAIN]/}>
{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet on resource: arn:aws:es:us-east-1:[ACCOUNT_ID]:domain/[ES_DOMAIN]/"}
有谁知道我必须在访问策略中更改什么才能使其正常工作?
Does anyone know what I have to change in the access policy in order for this to work?
推荐答案
您可以锁定仅限 IAM 的访问权限,但是您将如何在浏览器中查看 Kibana?您可以设置代理(参见要点和/或NPM 模块)或启用 IAM 和基于 IP 的访问以查看结果.
You can lock access down to IAM-only, but how will you view Kibana in your browser? You could setup a proxy (see Gist and/or NPM module) or enable both IAM and IP-based access for viewing results.
我能够使用以下访问策略获得 IAM 访问 IP 限制的访问权限.请注意,顺序很重要:我无法在 IAM 语句之前使用基于 IP 的语句使其正常工作.
I was able to get both IAM access IP-restricted access with the following Access Policy. Note the order is important: I could not get it working with the IP-based statement before the IAM statement.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxxx:root"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-west-2:xxxxxxxxxxxx:domain/my-elasticsearch-domain/*"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-west-2:xxxxxxxxxxxx:domain/my-elasticsearch-domain/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"192.168.1.0",
"192.168.1.1"
]
}
}
}
]
}
我的 EC2 实例有一个实例配置文件,其中包含arn:aws:iam::aws:policy/AmazonESFullAccess
政策.Logstash 应使用 logstash-output-amazon-es 输出插件签署请求.在我的 EC2 实例上运行的 Logstash 包含如下输出部分:
My EC2 instance has an instance profile with the
arn:aws:iam::aws:policy/AmazonESFullAccess
policy. Logstash should sign requests using the logstash-output-amazon-es output plugin. Logstash running on my EC2 instance includes an output section like this:
output {
amazon_es {
hosts => ["ELASTICSEARCH_HOST"]
region => "AWS_REGION"
}
# If you need to do some testing & debugging, uncomment this line:
# stdout { codec => rubydebug }
}
我可以从访问策略中的两个 IP(192.168.1.0 和 192.168.1.1)访问 Kibana.
I can access Kibana from the two IPs in the access policy (192.168.1.0 and 192.168.1.1).
这篇关于Amazon Elastic Search 集群的正确访问策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!