5

After setting up AWS Elasticsearch, I installed Logstash and Kibana proxy on a static IP server, and added this domain access policy on ES and it's working fine:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "192.192.192.192"
          ]
        }
      }
    }
  ]
}

Now I need to allow Lambda function to execute es:ESHttpDelete action on AWS ES, so I created the function with the existing role service-role/Elasticsearch then copied the relevent ARN from IAM Managment console to add it to AWS ES access policy, to come up with this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam:: 323137313233:role/service-role/Elasticsearch"
        ]
      },
      "Action": [
        "es:*"
      ],
      "Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*"
    }
  ]
}

The problem is on ES I should either choose domain access policy for Static IP or ARN but not both. When I tried to merge them manually not by using the console it didn't work. I checked AWS documentation but they didn't mention if is that possible or not.

alexwlchan
  • 5,699
  • 7
  • 38
  • 49
Jubba Smail
  • 1,201
  • 11
  • 15
  • 1
    FWIW, Amazon Developer Support is very good, but it costs you $30 a month. I don't know the answer and as you said, the docs don't really talk about how to do what you want to do. – Daniel Wisehart Sep 10 '16 at 00:23
  • 1
    Your first policy has a prohibited Principal field. How did you ever get it to work? Instead of specifying a Principal, try adding a second condition where you compare the Principal ARN – JayEye Sep 11 '16 at 01:07

1 Answers1

2

You can add multiple policy statements inside the Statement array in the JSON format of policy. So, your final policy would be something like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "192.192.192.192"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam:: 323137313233:role/service-role/Elasticsearch"
        ]
      },
      "Action": [
        "es:*"
      ],
      "Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*"
    }
  ]
}
hjpotter92
  • 78,589
  • 36
  • 144
  • 183