0

我目前有一个 Elasticsearch 域的访问策略,如下所示:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:ES_DOMAIN_HERE/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "**.**.***.***",
            "**.***.***.***",
            "**.***.***.**",
            "***.***.***.**",
            ...
          ]
        }
      }
    }
  ]
}

记住每个白名单 IP 的用途是很痛苦的,如果我可以用 IP 描述注释策略,维护 IP 列表会容易得多。我想像下面这样:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:ES_DOMAIN_HERE/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "**.**.***.***",
            "**.***.***.***",
            "**.***.***.**",
            "***.***.***.**",
            ...
          ]
        }
      },
      "meta": {
        "IpAddress": {
            "**.**.***.***" : "INACTIVE - Test Server",
            "**.***.***.***" : "General Server",
            "**.***.***.**" : "Main Office",
            "***.***.***.**" : "Remote Server",
            ...
        }
      }
    }
  ]
}

如何将注释或元数据添加到我的访问策略?

4

1 回答 1

0

到目前为止,没有可用的策略元素可以满足您的目的。您可以考虑在您的政策中的 Sid 元素中引用或添加一些信息,但这还不足以满足您的需求。

http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html

于 2017-09-08T19:11:38.517 回答