适用于亚马逊弹性搜索集群的访问策略 [英] Proper access policy for Amazon Elastic Search Cluster
问题描述
以下是我目前为ES域分配的访问策略示例:
code> {
版本:2012-10-17,
声明:[
{
Sid:,
效果:允许,
Principal:{
AWS:[
arn:aws:iam :: [ACCOUNT_ID]:role / my_es_role,
},
Action:es:*,
资源:arn:aws:es:us-east-1:[ACCOUNT_ID] [ES_DOMAIN] / *
}
]
}
但正如我所说,这不行。我登录到EC2实例(其中附有$ code> my_es_role 角色),并尝试在https://*.es.amazonaws上运行一个简单的卷曲调用。 com终点,我收到以下错误:
{消息:用户:匿名无权执行:es: ESHttpGet on resource:arn:aws:es:us-east-1:[ACCOUNT_ID]:domain / [ES_DOMAIN] /}
有谁知道在访问策略中我必须改变什么才能使其工作?
您可以锁定访问权限仅限IAM,但您将如何在浏览器中查看Kibana?您可以设置代理(参阅Gist )或启用基于IAM和IP的访问来查看结果。
我能够通过以下访问策略获得IAM访问受IP访问权限ote的顺序很重要:我不能让它在IAM声明之前使用基于IP的语句。
{
版本:2012-10-17,
声明:[
{
效果:允许,
Principal:{
AWS:arn:aws:iam :: xxxxxxxxxxxx:root
},
Action:es:*,
Resource:arn: aws:es:us-west-2:xxxxxxxxxxxx:domain / my-elasticsearch-domain / *
},
{
Sid:,
效果:允许,
主体:{
AWS:*
},
行动:es:*,
资源:arn:aws:es:us-west-2:xxxxxxxxxxxx:domain / my-elasticsearch-domain / *,
条件:{
IpAddress:{
aws:SourceIp:[
192.168.1.0,
192.168.1.1
]
}
}
}
]
}
我的EC2实例有一个实例ile与
arn:aws:iam :: aws:policy / AmazonESFullAccess
策略。 Logstash应使用 logstash-output-amazon-es输出插件来签署请求。在我的EC2实例上运行的Logstash包含如下输出部分:
输出{
amazon_es {
主机=> [ELASTICSEARCH_HOST]
region => AWS_REGION
}
#如果你需要做一些测试&调试,取消注释这一行:
#stdout {codec => rubydebug}
}
我可以从访问策略中的两个IP访问Kibana(192.168 .1.0和192.168.1.1)。
I've recently started using the new Amazon Elasticsearch Service and I can't seem to figure out the access policy I need so that I can only access the services from my EC2 instances that have a specific IAM role assigned to them.
Here's an example of the access policy I currently have assigned for the ES domain:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::[ACCOUNT_ID]:role/my_es_role",
]
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:[ACCOUNT_ID]:domain/[ES_DOMAIN]/*"
}
]
}
But as I said, this doesn't work. I log into the EC2 instance (which has the my_es_role
role attached to it) and attempt to run a simple curl call on the "https://*.es.amazonaws.com" end point, I get the following error:
{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet on resource: arn:aws:es:us-east-1:[ACCOUNT_ID]:domain/[ES_DOMAIN]/"}
Does anyone know what I have to change in the access policy in order for this to work?
You can lock access down to IAM-only, but how will you view Kibana in your browser? You could setup a proxy (see Gist) or enable both IAM and IP-based access for viewing results.
I was able to get both IAM access IP-restricted access with the following Access Policy. Note the order is important: I could not get it working with the IP-based statement before the IAM statement.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxxx:root"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-west-2:xxxxxxxxxxxx:domain/my-elasticsearch-domain/*"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-west-2:xxxxxxxxxxxx:domain/my-elasticsearch-domain/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"192.168.1.0",
"192.168.1.1"
]
}
}
}
]
}
My EC2 instance has an instance profile with the
arn:aws:iam::aws:policy/AmazonESFullAccess
policy. Logstash should sign requests using the logstash-output-amazon-es output plugin. Logstash running on my EC2 instance includes an output section like this:
output {
amazon_es {
hosts => ["ELASTICSEARCH_HOST"]
region => "AWS_REGION"
}
# If you need to do some testing & debugging, uncomment this line:
# stdout { codec => rubydebug }
}
I can access Kibana from the two IPs in the access policy (192.168.1.0 and 192.168.1.1).
这篇关于适用于亚马逊弹性搜索集群的访问策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!