问题
I'm building a mobile app that requires access to an AWS Elasticsearch (ES) cluster and would like to make sure only the app can make queries.
Assuming I'm not going to distribute AWS user credentials with my mobile application, what would be a secure way to allow read access to an AWS Elasticsearch cluster?
Reading this AWS post I gathered that I can setup a reverse proxy to sign my requests to Elasticsearch. If I follow this route, how would I secure access to the EC2 instance port where the proxy is listening to?
回答1:
For mobile applications what you want to set up is Web Identity Federation. This is will give users temporary credentials to access aws resources needed for your mobile application.
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html
Setting up http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
Article from Amazon on Web Identity Federation with Mobile Applications
https://aws.amazon.com/articles/4617974389850313
来源:https://stackoverflow.com/questions/44253143/how-to-secure-access-to-aws-elasticsearch-from-a-mobile-application