本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。 # 教學課程:開始使用 Amazon OpenSearch Serverless (CLI) 中的安全功能 本教學課程會逐步引導您完成 [主控台入門安全教學](gsg-serverless.md)課程中所述的步驟,但使用 AWS CLI 而非 OpenSearch Service 主控台。 在本教學課程中,您會完成下列步驟: 1. 建立 IAM 許可政策 1. 將 IAM 政策連接至 IAM 角色 1. 建立加密政策 1. 建立網路政策 1. 建立集合 1. 設定資料存取政策 1. 擷取集合端點 1. 將資料上傳至您的連線 1. 搜尋集合中的資料 本教學課程的目標是使用相當簡單的加密、網路和資料存取設定,來設定單一 OpenSearch Serverless 集合。例如,我們將設定公有網路存取、 AWS 受管金鑰 用於加密的 ,以及將最低許可授予單一使用者的簡化資料存取政策。 在生產案例中,請考慮實作更強大的組態,包括 SAML 身分驗證、自訂加密金鑰和 VPC 存取權。 **在 OpenSearch Serverless 中開始使用安全政策** 1. **注意** 如果您已經使用更廣泛的身分型政策,例如 `Action":"aoss:*"` 或 `Action":"*"`,則可以略過此步驟。不過,在生產環境中,我們建議您遵循最低權限原則,並且僅指派任務完成所需的最低許可。 若要開始,請建立具有執行本教學課程中步驟所需最低許可 AWS Identity and Access Management 的政策。我們會將該政策命名為 `TutorialPolicy`: ``` aws iam create-policy \ --policy-name TutorialPolicy \ --policy-document "{\"Version\": \"2012-10-17\",\"Statement\": [{\"Action\": [\"aoss:ListCollections\",\"aoss:BatchGetCollection\",\"aoss:CreateCollection\",\"aoss:CreateSecurityPolicy\",\"aoss:GetSecurityPolicy\",\"aoss:ListSecurityPolicies\",\"aoss:CreateAccessPolicy\",\"aoss:GetAccessPolicy\",\"aoss:ListAccessPolicies\"],\"Effect\": \"Allow\",\"Resource\": \"*\"}]}" ``` **回應範例** ``` { "Policy": { "PolicyName": "TutorialPolicy", "PolicyId": "ANPAW6WRAECKG6QJWUV7U", "Arn": "arn:aws:iam::123456789012:policy/TutorialPolicy", "Path": "/", "DefaultVersionId": "v1", "AttachmentCount": 0, "PermissionsBoundaryUsageCount": 0, "IsAttachable": true, "CreateDate": "2022-10-16T20:57:18+00:00", "UpdateDate": "2022-10-16T20:57:18+00:00" } } ``` 1. 將 `TutorialPolicy` 連接至 IAM 角色,該角色將在集合中為資料編制索引和進行搜尋。我們會將該使用者命名為 `TutorialRole`: ``` aws iam attach-role-policy \ --role-name TutorialRole \ --policy-arn arn:aws:iam::123456789012:policy/TutorialPolicy ``` 1. 建立集合之前,您需要建立[加密政策](serverless-encryption.md),以將 AWS 擁有的金鑰 指派給您在稍後步驟中建立的*書籍*集合。 傳送下列請求,以建立*書籍*集合的加密政策: ``` aws opensearchserverless create-security-policy \ --name books-policy \ --type encryption --policy "{\"Rules\":[{\"ResourceType\":\"collection\",\"Resource\":[\"collection\/books\"]}],\"AWSOwnedKey\":true}" ``` **回應範例** ``` { "securityPolicyDetail": { "type": "encryption", "name": "books-policy", "policyVersion": "MTY2OTI0MDAwNTk5MF8x", "policy": { "Rules": [ { "Resource": [ "collection/books" ], "ResourceType": "collection" } ], "AWSOwnedKey": true }, "createdDate": 1669240005990, "lastModifiedDate": 1669240005990 } } ``` 1. 建立[網路政策](serverless-network.md),該政策會提供*書籍*集合的公用存取權: ``` aws opensearchserverless create-security-policy --name books-policy --type network \ --policy "[{\"Description\":\"Public access for books collection\",\"Rules\":[{\"ResourceType\":\"dashboard\",\"Resource\":[\"collection\/books\"]},{\"ResourceType\":\"collection\",\"Resource\":[\"collection\/books\"]}],\"AllowFromPublic\":true}]" ``` **回應範例** ``` { "securityPolicyDetail": { "type": "network", "name": "books-policy", "policyVersion": "MTY2OTI0MDI1Njk1NV8x", "policy": [ { "Rules": [ { "Resource": [ "collection/books" ], "ResourceType": "dashboard" }, { "Resource": [ "collection/books" ], "ResourceType": "collection" } ], "AllowFromPublic": true, "Description": "Public access for books collection" } ], "createdDate": 1669240256955, "lastModifiedDate": 1669240256955 } } ``` 1. 建立*書籍*集合: ``` aws opensearchserverless create-collection --name books --type SEARCH ``` **回應範例** ``` { "createCollectionDetail": { "id": "8kw362bpwg4gx9b2f6e0", "name": "books", "status": "CREATING", "type": "SEARCH", "arn": "arn:aws:aoss:us-east-1:123456789012:collection/8kw362bpwg4gx9b2f6e0", "kmsKeyArn": "auto", "createdDate": 1669240325037, "lastModifiedDate": 1669240325037 } } ``` 1. 建立[資料存取政策](serverless-data-access.md),該政策會提供在*書籍*集合中為資料編製索引和進行搜尋的最低許可。將主體 ARN 取代為步驟 1 中的 `TutorialRole` ARN: ``` aws opensearchserverless create-access-policy \ --name books-policy \ --type data \ --policy "[{\"Rules\":[{\"ResourceType\":\"index\",\"Resource\":[\"index\/books\/books-index\"],\"Permission\":[\"aoss:CreateIndex\",\"aoss:DescribeIndex\",\"aoss:ReadDocument\",\"aoss:WriteDocument\",\"aoss:UpdateIndex\",\"aoss:DeleteIndex\"]}],\"Principal\":[\"arn:aws:iam::123456789012:role\/TutorialRole\"]}]" ``` **回應範例** ``` { "accessPolicyDetail": { "type": "data", "name": "books-policy", "policyVersion": "MTY2OTI0MDM5NDY1M18x", "policy": [ { "Rules": [ { "Resource": [ "index/books/books-index" ], "Permission": [ "aoss:CreateIndex", "aoss:DescribeIndex", "aoss:ReadDocument", "aoss:WriteDocument", "aoss:UpdateDocument", "aoss:DeleteDocument" ], "ResourceType": "index" } ], "Principal": [ "arn:aws:iam::123456789012:role/TutorialRole" ] } ], "createdDate": 1669240394653, "lastModifiedDate": 1669240394653 } } ``` `TutorialRole` 現在應該能夠在*書籍*集合中為文件編製索引和進行搜尋。 1. 若要呼叫 OpenSearch API,您需要集合端點。傳送下列請求以擷取 `collectionEndpoint` 參數: ``` aws opensearchserverless batch-get-collection --names books ``` **回應範例** ``` { "collectionDetails": [ { "id": "8kw362bpwg4gx9b2f6e0", "name": "books", "status": "ACTIVE", "type": "SEARCH", "description": "", "arn": "arn:aws:aoss:us-east-1:123456789012:collection/8kw362bpwg4gx9b2f6e0", "createdDate": 1665765327107, "collectionEndpoint": "https://8kw362bpwg4gx9b2f6e0.us-east-1.aoss.amazonaws.com", "dashboardEndpoint": "https://8kw362bpwg4gx9b2f6e0.us-east-1.aoss.amazonaws.com/_dashboards" } ], "collectionErrorDetails": [] } ``` **注意** 在集合狀態變更為 `ACTIVE` 之前,您都無法看到集合端點。在集合成功建立前,您可能必須進行多次呼叫才能檢查狀態。 1. 使用 [Postman](https://www.getpostman.com/) 或 curl 等 HTTP 工具,將資料索引編製為*書籍*集合。我們將建立名為 *books-index* 的索引,並新增單一文件。 使用 `TutorialRole` 的憑證,將下列請求傳送至您在上一步擷取的集合端點。 ``` PUT https://8kw362bpwg4gx9b2f6e0.us-east-1.aoss.amazonaws.com/books-index/_doc/1 { "title": "The Shining", "author": "Stephen King", "year": 1977 } ``` **回應範例** ``` { "_index" : "books-index", "_id" : "1", "_version" : 1, "result" : "created", "_shards" : { "total" : 0, "successful" : 0, "failed" : 0 }, "_seq_no" : 0, "_primary_term" : 0 } ``` 1. 若要開始在集合中搜尋資料,請使用[搜尋 API](https://opensearch.org/docs/latest/opensearch/rest-api/search/)。下列查詢會執行基本搜尋: ``` GET https://8kw362bpwg4gx9b2f6e0.us-east-1.aoss.amazonaws.com/books-index/_search ``` **回應範例** ``` { "took": 405, "timed_out": false, "_shards": { "total": 6, "successful": 6, "skipped": 0, "failed": 0 }, "hits": { "total": { "value": 2, "relation": "eq" }, "max_score": 1.0, "hits": [ { "_index": "books-index:0::3xJq14MBUaOS0wL26UU9:0", "_id": "F_bt4oMBLle5pYmm5q4T", "_score": 1.0, "_source": { "title": "The Shining", "author": "Stephen King", "year": 1977 } } ] } } ```