After setting up AWS Elasticsearch, I installed Logstash and Kibana proxy server on a static IP server and added this domain access policy on ES, and it works fine:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "es:*", "Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*", "Condition": { "IpAddress": { "aws:SourceIp": [ "192.192.192.192" ] } } } ] }
Now I need to enable the Lambda functions to perform the es:ESHttpDelete on AWS ES, so I created a function with the existing service-role/Elasticsearch , then copied the relevant ARN from the IAM Managment console to add it to the AWS ES access policy to come up with this :
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam:: 323137313233:role/service-role/Elasticsearch" ] }, "Action": [ "es:*" ], "Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*" } ] }
Problem in ES I must either choose a domain access policy for static IP or ARN, but not both. When I tried to combine them manually without using the console, this did not work. I checked the AWS documentation, but they did not mention if this is possible or not.
source share