我创建了Amazon elasticsearch服务,并使用logstash将该数据填充到其中,该数据已安装在EC2实例上。在Amazon elasticservice控制台页面上,将有一个访问Kibana的链接。
search-cluster_name-XXXXXXXXXXXXXXXXXXX.region_name.es.amazonaws.com/_plugin/kibana/
当我单击链接时,浏览器将引发以下错误。
{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet on resource: arn:aws:es:region_name:account_id:domain/cluster_name/_plugin/kibana/"}
我确定这与ES域的访问策略有关。如何修改我的访问策略,以便可以通过单击指定的链接来访问Kibana?
您可以使用基于IAM和IP地址的访问来设置访问策略。
arn:aws:iam::aws:policy/AmazonESFullAccess
这是一个示例策略(语句顺序很重要!)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::xxxxxxxxxxxx:root" }, "Action": "es:*", "Resource": "arn:aws:es:us-west-2:xxxxxxxxxxxx:domain/my-elasticsearch-domain/*" }, { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "es:*", "Resource": "arn:aws:es:us-west-2:xxxxxxxxxxxx:domain/my-elasticsearch-domain/*", "Condition": { "IpAddress": { "aws:SourceIp": [ "192.168.1.0", "192.168.1.1" ] } } } ] }