我有一个AutoScaling组,该组必须有权访问AWS ElasticSearch Service, 但是,正如您所知,在这种情况下,将IP地址用作访问策略将不起作用(IP每次都会更改). 我想知道是否有一种方法可以使用IAM角色或安全组来限制对自动伸缩组的访问. 如果可以,请给我一个例子吗?
I have an AutoScaling group who must have the access to the AWS ElasticSearch Service, But as you know, using IP address as access policies will not work in this case (The ip change every time). I wonder if there is a way to use IAM Roles or Security groups to limit the access to the auto scaling group. If there is can you give me an example?
提前谢谢
推荐答案
您指定哪些IAM用户或角色应有权访问您的 领域.对域的所有请求都必须使用AWS Signature签名 版本4签名.当请求到达域时,将转发该请求 IAM进行签名验证和访问控制.
You specify which IAM users or roles should have access to your domain. All requests to the domain must be signed with AWS Signature Version 4 signing. When a request reaches the domain, it is forwarded to IAM for signature verification and access control.
政策,例如:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/susan" }, "Action": "es:*", "Resource": "arn:aws:es:us-west-2:123456789012:domain/mydomain/*" } ] }用生成的策略中的用户ARN和域ARN替换为红色.
Replace the user ARN and domain ARN in red with those from the generated policy.
请参阅 AWS博客
更多推荐
将AWS ElasticSearch访问权限限制为自动缩放组
发布评论