I'm running a Python app in a Fargate container. I've got the following access policy on the Elasticsearch cluster:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "*"
}
]
}
Which works as expected however I need to not use a wildcard for the resource. I've tried to use the arn of the cluster: arn:aws:ecs:region:account_number:cluster/cluster_name
however this disables access from the Python app.
I've looked through and couldn't find any other ARN to use. Even using arn:aws:ecs:region:account_number:*
doesn't work. What arn should I be using to restrict access to the cluster?
CodePudding user response:
It should be the arn of your IAM task role, which you use to sign queries to the ES.
Your current policy is for anonymous access and does not require any signing of HTTP requests with valid IAM credentials. If you restrict access to ES to the IAM role, you may need to modify your application (unless already doing that) to actually sign the HTTP queries to the ES.