使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

Limit actions within Opensearch Serverless IAM policy

0

I'm trying to limit the actions given within my IAM role statement but it is only working when full access is given (aoss:*). I'm trying to limit this down to only allow users to have minimum access to the collection.

Below is my working example:

iamRoleStatements:
            - Effect: Allow
              Action:
                  - aoss:APIAccessAll
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id
            - Effect: Allow
              Action:
                  - aoss:DashboardsAccessAll
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:dashboards/default
            - Effect: Allow
              Action:
                  - aoss:*
              Resource:
                  - '*'

I have had a look at the documentation and implemented the full list of actions to then try eliminate one by one, but with the full action list added it is still throwing an error. The example is shown below.

iamRoleStatements:
            - Effect: Allow
              Action:
                  - aoss:APIAccessAll
                  - aoss:DeleteCollection
                  - aoss:UpdateCollection
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id
            - Effect: Allow
              Action:
                  - aoss:DashboardsAccessAll
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:dashboards/default
            - Effect: Allow
              Action:
                  - aoss:BatchGetCollection
                  - aoss:BatchGetVpcEndpoint
                  - aoss:CreateAccessPolicy
                  - aoss:CreateCollection
                  - aoss:CreateSecurityConfig
                  - aoss:CreateSecurityPolicy
                  - aoss:CreateVpcEndpoint
                  - aoss:DeleteAccessPolicy
                  - aoss:DeleteSecurityConfig
                  - aoss:DeleteSecurityPolicy
                  - aoss:DeleteVpcEndpoint
                  - aoss:GetAccessPolicy
                  - aoss:GetAccountSettings
                  - aoss:GetPoliciesStats
                  - aoss:GetSecurityConfig
                  - aoss:GetSecurityPolicy
                  - aoss:ListAccessPolicies
                  - aoss:ListCollections
                  - aoss:ListSecurityConfigs
                  - aoss:ListSecurityPolicies
                  - aoss:ListTagsForResource
                  - aoss:ListVpcEndpoints
                  - aoss:UpdateAccessPolicy
                  - aoss:UpdateAccountSettings
                  - aoss:UpdateSecurityConfig
                  - aoss:UpdateSecurityPolicy
                  - aoss:UpdateVpcEndpoint
              Resource:
                  - '*'

Any help would be greatly appreciated!

主题
安全、身份和合规性分析数据库
标签
AWS 身份和访问权限管理IAM 策略亚马逊 OpenSearch Serverless
语言
English
pabs
已提问 10 个月前465 查看次数
1 回答
0

Hello.
What error messages are you getting?

profile picture
专家
Riku_Kobayashi
已回答 10 个月前
  • pabs
    10 个月前

    It's returning a 403 Forbidden error.

  • Riku_Kobayashi 专家
    10 个月前

    Am I correct in assuming that the following policies are working properly? By the way, is this policy the one used by IAM users, etc.?

    iamRoleStatements:
            - Effect: Allow
              Action:
                  - aoss:APIAccessAll
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id
            - Effect: Allow
              Action:
                  - aoss:DashboardsAccessAll
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:dashboards/default
            - Effect: Allow
              Action:
                  - aoss:*
              Resource:
                  - '*'

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容