AWS ElasticSearch domain creation permission

问题

I tried to give permission required to create an ES domain in AWS to an IAM account but I couldn't find any existing policy to attach except AdministratorAccess. Is there a custom policy or something I can assign to the IAM account? I searched the web but couldn't find anything helpful either.

回答1:

Amazon ES supports three types of access policies:

1. Resource-based Policies

2. Identity-based Policies

3. IP-based Policies

To get detailed information, about how to create your own custom policies you can go through these official documentation :

Identity and Access Management in Amazon Elasticsearch Service

Fine-Grained Access Control in Amazon Elasticsearch Service

To configure access policies, you also get some templates, modifying which you can create your own policies.

You can create IP-based restrictions, you can restrict Amazon ES endpoint access to certain AWS accounts or users

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "111.222.333.444/32"
          ]
        }
      },
      "Resource": "arn:aws:es:us-west-2:123456789012:domain/mydomain/*"
    }
  ]

To know more about How to Control Access to Your Amazon Elasticsearch Service Domain this

来源：https://stackoverflow.com/questions/61968052/aws-elasticsearch-domain-creation-permission