Below I have an IP-based Access Policy that allows everything for 6 ip addresses, and then allows deletion for only one of those ip addresses. It was thought that it would give an explicit deny for delete to all the other ip addresses and then the explicit deny would trump the full access to the other 5 ip addresses. That doesn't seem to be the case. Can someone help me understand what trumps what in permissions for the Access Policies? The small table that is available in the Identity and Access Management documentation does little to help me understand how Elasticsearch sees things. Please help enlighten me.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:region:id:domain/domainname/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"120.450.780.230",
"120.450.780.231",
"120.450.780.232",
"120.450.780.233",
"120.450.780.234",
"120.450.780.235"
]
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:ESHttpDelete",
"Resource": "arn:region:id:domain/domainname*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"120.450.780.235"
]
}
}
}
]
}
CodePudding user response:
Still haven't found the "rules" for ElasticSearch Allow/Deny, etc, but apparently I have to explicitly deny or allow for it to happen. Implicit deny doesn't really work.