5

设置 AWS Elasticsearch 后,我在静态 IP 服务器上安装了 Logstash 和 Kibana 代理,并在 ES 上添加了这个域访问策略,它工作正常:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "192.192.192.192"
          ]
        }
      }
    }
  ]
}

现在我需要允许 Lambda 函数es:ESHttpDelete在 AWS ES 上执行操作,因此我使用现有角色创建了该函数,然后从 IAM 管理控制台service-role/Elasticsearch复制了相关事件以将其添加到 AWS ES 访问策略中,从而得出以下结论:ARN

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam:: 323137313233:role/service-role/Elasticsearch"
        ]
      },
      "Action": [
        "es:*"
      ],
      "Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*"
    }
  ]
}

问题出在 ES 上,我应该为静态 IP 或 ARN 选择域访问策略,但不能同时选择两者。当我尝试手动合并它们而不是使用控制台时它不起作用。我检查了 AWS 文档,但他们没有提到这是否可能。

4

1 回答 1

2

Statement您可以在策略的 JSON 格式的数组中添加多个策略语句。因此,您的最终政策将类似于:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "192.192.192.192"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam:: 323137313233:role/service-role/Elasticsearch"
        ]
      },
      "Action": [
        "es:*"
      ],
      "Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*"
    }
  ]
}
于 2017-01-20T13:45:18.130 回答