AWS訪問策略允許從IP地址或IAM用戶訪問

Question

我正在使用AWS Elasticsearch，我需要設置訪問策略以允許從固定IP訪問Kibana和Web界面。我還希望允許特定的用戶訪問密鑰能夠從任何IP訪問它，因爲記錄將從我們的服務器中插入。

所以它歸結爲創建一個策略，我需要IP和ARN之間的關係or。

這裏是我的知識產權政策看起來像：

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Effect": "Allow", 
     "Principal": { 
     "AWS": "*" 
     }, 
     "Action": "es:*", 
     "Resource": "arn:aws:es:us-west-2:xxxxxx:domain/xxxx-xxxx-xxx/*", 
     "Condition": { 
     "IpAddress": { 
      "aws:SourceIp": "xxx.xx.xx.173" 
     } 
     } 
    } 
    ] 
} 

，這裏是我的ARN政策看起來像：

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Effect": "Allow", 
     "Principal": { 
     "AWS": [ 
      "arn:aws:iam::xxxxxxxxx:user/xxxx" 
     ] 
     }, 
     "Action": [ 
     "es:*" 
     ], 
     "Resource": "arn:aws:es:us-west-2:xxxxxxxxx:domain/xxxxxxxxxxxxxxxx/*" 
    } 
    ] 
} 

我怎樣才能讓他們之間的關係還是？

Answer 1

如果我理解你的問題正確，你應該能夠達到你想要什麼，加入這兩個聲明的對象爲statement陣列，如：

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Effect": "Allow", 
     "Principal": { 
     "AWS": "*" 
     }, 
     "Action": "es:*", 
     "Resource": "arn:aws:es:us-west-2:xxxxxx:domain/xxxx-xxxx-xxx/*", 
     "Condition": { 
     "IpAddress": { 
      "aws:SourceIp": "xxx.xx.xx.173" 
     } 
     } 
    }, 
    { 
     "Effect": "Allow", 
     "Principal": { 
     "AWS": [ 
      "arn:aws:iam::xxxxxxxxx:user/xxxx" 
     ] 
     }, 
     "Action": [ 
     "es:*" 
     ], 
     "Resource": "arn:aws:es:us-west-2:xxxxxxxxx:domain/xxxxxxxxxxxxxxxx/*" 
    } 
    ] 
}