Saturday, July 11, 2026

What does the below access_policy mean?

{


"Version":"2012-10-17",


"Statement":[


{


"Resource":"arn:aws:es:us-west-2:111111111111:domain/my-domain/*",


"Principal":{


"AWS":"arn:aws:iam::111111111111:role/allowedrole1"


},


"Action":[


"es:ESHttpGet"


],


"Effect":"Allow"


},


{


"Effect":"Allow",


"Principal":{


"AWS":"*"


},


"Action":"es:*",


"Condition":{


"IpAddress":{


"aws:SourceIp":[


"203.0.113.0/24",


"2001:DB8:1234:5678::/64"


]


}


},


"Resource":"arn:aws:es:us-west-2:111111111111:domain/my-domain/*"


}


]



This JSON snippet represents an Amazon OpenSearch Service (formerly Elasticsearch Service) access policy. It is a resource-based policy that defines who is allowed to perform specific actions on a specific domain named my-domain in the us-west-2 region.


Here is the breakdown of the two statements included in the policy:


Statement 1: Role-Based Access

Effect: Allows the specified action.


Principal: Only the IAM role allowedrole1 in account 111111111111 is granted access.


Action: Restricted to es:ESHttpGet, meaning this role can only perform HTTP GET requests (read-only operations like searching or retrieving data) on the domain.


Resource: Applies to all resources within the domain my-domain.


Statement 2: IP-Based Access

Effect: Allows the specified actions.


Principal: Any AWS user (*) is theoretically permitted, but this is heavily restricted by the Condition block.


Action: es:* allows any OpenSearch/Elasticsearch action (including read, write, and administrative actions).


Condition: This access is only granted if the request originates from the specific IP addresses listed: 203.0.113.0/24 (IPv4) or 2001:DB8:1234:5678::/64 (IPv6).


Resource: Applies to the same domain my-domain.


Summary

This policy effectively creates two paths for access to your OpenSearch domain:


Authenticated Role Access: A specific internal IAM role is granted limited read-only access to the domain regardless of its origin.


Network-Based Access: Any user or process connecting from your trusted office/corporate network IP ranges is granted full administrative and operational control (es:*) over the domain.


No comments:

Post a Comment