本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
教學課程:Amazon OpenSearch 無伺服器 (CLI) 中的安全性入門
本教學課程將逐步引導您完成主控台安全性入門教學課程中所述的步驟,但使用AWS CLI而非 OpenSearch Service 主控台。
在本教學課程中,您會完成下列步驟:
-
建立 IAM 許可政策
-
將 IAM 政策附加到 IAM 角色
-
建立加密政策
-
建立網路政策
-
建立集合
-
設定資料存取政策
-
擷取收集端點
-
將數據上傳到您的連接
-
搜尋集合中的資料
本教學課程的目標是使用相當簡單的加密、網路和資料存取設定來設定單一 OpenSearch 無伺服器集合。例如,我們將設定公用網路存取、用於加密的 AWS 受管金鑰,以及將最低許可授予單一使用者的簡化資料存取政策。
在生產案例中,請考慮實作更強大的組態,包括 SAML 身分驗證、自訂加密金鑰和 VPC 存取權。
開始使用 OpenSearch 無伺服器中的安全性原則
-
注意
如果您已經使用更廣泛的身分型政策,例如
Action":"aoss:*"或Action":"*",則可以略過此步驟。不過,在生產環境中,我們建議您遵循最低權限原則,並且僅指派任務完成所需的最低許可。若要開始,請使用執行本教學課程中步驟所需的最低許可建立 AWS Identity and Access Management 政策。我們會將該政策命名為
TutorialPolicy:aws iam create-policy \ --policy-name TutorialPolicy \ --policy-document "{\"Version\": \"2012-10-17\",\"Statement\": [{\"Action\": [\"aoss:ListCollections\",\"aoss:BatchGetCollection\",\"aoss:CreateCollection\",\"aoss:CreateSecurityPolicy\",\"aoss:GetSecurityPolicy\",\"aoss:ListSecurityPolicies\",\"aoss:CreateAccessPolicy\",\"aoss:GetAccessPolicy\",\"aoss:ListAccessPolicies\"],\"Effect\": \"Allow\",\"Resource\": \"*\"}]}"回應範例
{ "Policy": { "PolicyName": "TutorialPolicy", "PolicyId": "ANPAW6WRAECKG6QJWUV7U", "Arn": "arn:aws:iam::123456789012:policy/TutorialPolicy", "Path": "/", "DefaultVersionId": "v1", "AttachmentCount": 0, "PermissionsBoundaryUsageCount": 0, "IsAttachable": true, "CreateDate": "2022-10-16T20:57:18+00:00", "UpdateDate": "2022-10-16T20:57:18+00:00" } } -
將
TutorialPolicy連接至 IAM 角色,該角色將在集合中為資料編制索引和進行搜尋。我們會將該使用者命名為TutorialRole:aws iam attach-role-policy \ --role-nameTutorialRole\ --policy-arn arn:aws:iam::123456789012:policy/TutorialPolicy -
建立集合之前,您需要建立加密政策,以將 AWS 擁有的金鑰 指派給您在稍後步驟中建立的書籍集合。
傳送下列請求,以建立書籍集合的加密政策:
aws opensearchserverless create-security-policy \ --name books-policy \ --type encryption --policy "{\"Rules\":[{\"ResourceType\":\"collection\",\"Resource\":[\"collection\/books\"]}],\"AWSOwnedKey\":true}"回應範例
{ "securityPolicyDetail": { "type": "encryption", "name": "books-policy", "policyVersion": "MTY2OTI0MDAwNTk5MF8x", "policy": { "Rules": [ { "Resource": [ "collection/books" ], "ResourceType": "collection" } ], "AWSOwnedKey": true }, "createdDate": 1669240005990, "lastModifiedDate": 1669240005990 } } -
建立網路政策,該政策會提供書籍集合的公用存取權:
aws opensearchserverless create-security-policy --name books-policy --type network \ --policy "[{\"Description\":\"Public access for books collection\",\"Rules\":[{\"ResourceType\":\"dashboard\",\"Resource\":[\"collection\/books\"]},{\"ResourceType\":\"collection\",\"Resource\":[\"collection\/books\"]}],\"AllowFromPublic\":true}]"回應範例
{ "securityPolicyDetail": { "type": "network", "name": "books-policy", "policyVersion": "MTY2OTI0MDI1Njk1NV8x", "policy": [ { "Rules": [ { "Resource": [ "collection/books" ], "ResourceType": "dashboard" }, { "Resource": [ "collection/books" ], "ResourceType": "collection" } ], "AllowFromPublic": true, "Description": "Public access for books collection" } ], "createdDate": 1669240256955, "lastModifiedDate": 1669240256955 } } -
建立書籍集合:
aws opensearchserverless create-collection --name books --type SEARCH回應範例
{ "createCollectionDetail": { "id": "8kw362bpwg4gx9b2f6e0", "name": "books", "status": "CREATING", "type": "SEARCH", "arn": "arn:aws:aoss:us-east-1:123456789012:collection/8kw362bpwg4gx9b2f6e0", "kmsKeyArn": "auto", "createdDate": 1669240325037, "lastModifiedDate": 1669240325037 } } -
建立資料存取政策,該政策會提供在書籍集合中為資料編製索引和進行搜尋的最低許可。將主體 ARN 取代為步驟 1 中的
TutorialRoleARN:aws opensearchserverless create-access-policy \ --name books-policy \ --type data \ --policy "[{\"Rules\":[{\"ResourceType\":\"index\",\"Resource\":[\"index\/books\/books-index\"],\"Permission\":[\"aoss:CreateIndex\",\"aoss:DescribeIndex\",\"aoss:ReadDocument\",\"aoss:WriteDocument\",\"aoss:UpdateIndex\",\"aoss:DeleteIndex\"]}],\"Principal\":[\"arn:aws:iam::123456789012:role\/TutorialRole\"]}]"回應範例
{ "accessPolicyDetail": { "type": "data", "name": "books-policy", "policyVersion": "MTY2OTI0MDM5NDY1M18x", "policy": [ { "Rules": [ { "Resource": [ "index/books/books-index" ], "Permission": [ "aoss:CreateIndex", "aoss:DescribeIndex", "aoss:ReadDocument", "aoss:WriteDocument", "aoss:UpdateDocument", "aoss:DeleteDocument" ], "ResourceType": "index" } ], "Principal": [ "arn:aws:iam::123456789012:role/TutorialRole" ] } ], "createdDate": 1669240394653, "lastModifiedDate": 1669240394653 } }TutorialRole現在應該能夠在書籍集合中為文件編製索引和進行搜尋。 -
若要呼叫 OpenSearch API,您需要集合端點。傳送下列請求以擷取
collectionEndpoint參數:aws opensearchserverless batch-get-collection --names books回應範例
{ "collectionDetails": [ { "id": "8kw362bpwg4gx9b2f6e0", "name": "books", "status": "ACTIVE", "type": "SEARCH", "description": "", "arn": "arn:aws:aoss:us-east-1:123456789012:collection/8kw362bpwg4gx9b2f6e0", "createdDate": 1665765327107, "collectionEndpoint": "https://8kw362bpwg4gx9b2f6e0.us-east-1.aoss.amazonaws.com", "dashboardEndpoint": "https://8kw362bpwg4gx9b2f6e0.us-east-1.aoss.amazonaws.com/_dashboards" } ], "collectionErrorDetails": [] }注意
在集合狀態變更為
ACTIVE之前,您都無法看到集合端點。在集合成功建立前,您可能必須進行多次呼叫才能檢查狀態。 -
使用 Postman
或 curl 等 HTTP 工具,將資料索引編製為書籍集合。我們將建立名為 books-index 的索引,並新增單一文件。 使用
TutorialRole的憑證,將下列請求傳送至您在上一步擷取的集合端點。PUT https://8kw362bpwg4gx9b2f6e0.us-east-1.aoss.amazonaws.com/books-index/_doc/1 { "title": "The Shining", "author": "Stephen King", "year": 1977 }回應範例
{ "_index" : "books-index", "_id" : "1", "_version" : 1, "result" : "created", "_shards" : { "total" : 0, "successful" : 0, "failed" : 0 }, "_seq_no" : 0, "_primary_term" : 0 } -
若要開始在集合中搜尋資料,請使用搜尋 API
。下列查詢會執行基本搜尋: GET https://8kw362bpwg4gx9b2f6e0.us-east-1.aoss.amazonaws.com/books-index/_search回應範例
{ "took": 405, "timed_out": false, "_shards": { "total": 6, "successful": 6, "skipped": 0, "failed": 0 }, "hits": { "total": { "value": 2, "relation": "eq" }, "max_score": 1.0, "hits": [ { "_index": "books-index:0::3xJq14MBUaOS0wL26UU9:0", "_id": "F_bt4oMBLle5pYmm5q4T", "_score": 1.0, "_source": { "title": "The Shining", "author": "Stephen King", "year": 1977 } } ] } }
