我想通过定义限制对 IAM 用户、特定 lambda 函数和 appsync API 的访问Access Policies来限制对 aws 上 elasticsearch 集群的访问。
我已经在云形成的弹性搜索资源中定义了以下access policies,但这失败并出现错误:Service: AWSElasticsearch; Status Code: 409; Error Code: InvalidTypeException;
如何修复我的保单以使其有效?
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
{
"Fn::Join": [
"",
[
"arn:aws:lambda:",
{"Ref": "AWS::Region"},
":",
{"Ref": "AWS::AccountId"},
":function:",
{"Ref": "DdEsLambdaFunctionName"},
"-",
{"Ref": "env"}
]
]
},
{
"Fn::Join": [
"",
[
{"Ref": "GraphQLAPI"},
"/*"
]
]
}
]
},
"Action": [
"es:ESHttp*"
]
},
{
"Effect": "Allow",
"Principal": [
{
"AWS": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{"Ref": "AWS::AccountId"},
":user/*"
]
]
}
}
],
"Action": "*"
}
]
},...}
不确定这是否是核心问题,但您的第一个Principal不正确。
您指定了Service但提供了 lambda ARN。ARN 属于主体类型AWS,而不是Service。可能GraphQLAPI也是一个 ARN,它也不是Service主体,而是AWS主体。