我正在使用AWS Elasticsearch,我需要设置一个访问策略,允许从固定IP访问Kibana和Web界面。我还想允许特定的用户访问密钥能够从任何IP访问它,因为记录将从我们的服务器中插入。
因此,归结为制定一项政策,我需要在or和IP之间建立ARN关系。
以下是我的IP政策的样子:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-west-2:xxxxxx:domain/xxxx-xxxx-xxx/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "xxx.xx.xx.173"
}
}
}
]
}
以下是我的ARN政策的样子:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::xxxxxxxxx:user/xxxx"
]
},
"Action": [
"es:*"
],
"Resource": "arn:aws:es:us-west-2:xxxxxxxxx:domain/xxxxxxxxxxxxxxxx/*"
}
]
}
我如何获得它们之间的关系?
答案 0 :(得分:1)
如果我正确理解您的问题,您应该能够通过将两个语句对象添加到statement数组中来实现您想要的目标,如:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-west-2:xxxxxx:domain/xxxx-xxxx-xxx/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "xxx.xx.xx.173"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::xxxxxxxxx:user/xxxx"
]
},
"Action": [
"es:*"
],
"Resource": "arn:aws:es:us-west-2:xxxxxxxxx:domain/xxxxxxxxxxxxxxxx/*"
}
]
}