问题
I have an AutoScaling group who must have the access to the AWS ElasticSearch Service, But as you know, using IP address as access policies will not work in this case (The ip change every time). I wonder if there is a way to use IAM Roles or Security groups to limit the access to the auto scaling group. If there is can you give me an example?
Thank you in advance
回答1:
You specify which IAM users or roles should have access to your domain. All requests to the domain must be signed with AWS Signature Version 4 signing. When a request reaches the domain, it is forwarded to IAM for signature verification and access control.
A policy Like:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/susan"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-west-2:123456789012:domain/mydomain/*"
}
]
}
Replace the user ARN and domain ARN in red with those from the generated policy.
Refer AWS Blog
来源:https://stackoverflow.com/questions/46682517/restrict-the-aws-elasticsearch-access-to-an-auto-scaling-group