本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
教學課程:開始使用 Amazon OpenSearch Serverless (CLI) 中的安全功能
本教學課程涵蓋 主控台入門教學課程中所述的步驟,但使用 AWS CLI 而非 OpenSearch Service 主控台。
您完成本教學課程中的下列步驟:
-
建立 IAM 許可政策
-
將 IAM 政策連接至 IAM 角色
-
建立加密政策
-
建立網路政策
-
建立集合
-
設定資料存取政策
-
擷取集合端點
-
將資料上傳至您的集合
-
搜尋集合中的資料
本教學課程的目標是使用相當簡單的加密、網路和資料存取設定,來設定單一 OpenSearch Serverless 集合。例如,您可以設定公有網路存取、 AWS 受管金鑰 用於加密的 ,以及將最低許可授予單一使用者的簡化資料存取政策。
在生產案例中,請考慮實作更強大的組態,包括 SAML 身分驗證、自訂加密金鑰和 VPC 存取權。
在 OpenSearch Serverless 中開始使用安全政策
-
注意
如果您已經使用更廣泛的身分型政策,例如
Action":"aoss:*"或Action":"*",則可以略過此步驟。不過,在生產環境中,請遵循最低權限原則,並僅指派完成任務所需的最低許可。若要開始,請建立具有執行本教學課程中步驟所需最低許可 AWS Identity and Access Management 的政策。為政策命名
TutorialPolicy:aws iam create-policy \ --policy-name TutorialPolicy \ --policy-document "{\"Version\": \"2012-10-17\",\"Statement\": [{\"Action\": [\"aoss:ListCollections\",\"aoss:BatchGetCollection\",\"aoss:CreateCollection\",\"aoss:CreateSecurityPolicy\",\"aoss:GetSecurityPolicy\",\"aoss:ListSecurityPolicies\",\"aoss:CreateAccessPolicy\",\"aoss:GetAccessPolicy\",\"aoss:ListAccessPolicies\"],\"Effect\": \"Allow\",\"Resource\": \"*\"}]}"回應範例
{ "Policy": { "PolicyName": "TutorialPolicy", "PolicyId": "ANPAW6WRAECKG6QJWUV7U", "Arn": "arn:aws:iam::123456789012:policy/TutorialPolicy", "Path": "/", "DefaultVersionId": "v1", "AttachmentCount": 0, "PermissionsBoundaryUsageCount": 0, "IsAttachable": true, "CreateDate": "2022-10-16T20:57:18+00:00", "UpdateDate": "2022-10-16T20:57:18+00:00" } } -
將
TutorialPolicy連接至 IAM 角色,該角色將在集合中為資料編制索引和進行搜尋。在此範例中,角色名為TutorialRole:aws iam attach-role-policy \ --role-nameTutorialRole\ --policy-arn arn:aws:iam::123456789012:policy/TutorialPolicy -
建立集合之前,您需要建立加密政策,將 指派給稍後步驟中建立 AWS 擁有的金鑰 的書籍集合。
傳送下列請求,以建立書籍集合的加密政策:
aws opensearchserverless create-security-policy \ --name books-policy \ --type encryption --policy "{\"Rules\":[{\"ResourceType\":\"collection\",\"Resource\":[\"collection\/books\"]}],\"AWSOwnedKey\":true}"回應範例
{ "securityPolicyDetail": { "type": "encryption", "name": "books-policy", "policyVersion": "MTY2OTI0MDAwNTk5MF8x", "policy": { "Rules": [ { "Resource": [ "collection/books" ], "ResourceType": "collection" } ], "AWSOwnedKey": true }, "createdDate": 1669240005990, "lastModifiedDate": 1669240005990 } } -
建立網路政策,該政策會提供書籍集合的公用存取權:
aws opensearchserverless create-security-policy --name books-policy --type network \ --policy "[{\"Description\":\"Public access for books collection\",\"Rules\":[{\"ResourceType\":\"dashboard\",\"Resource\":[\"collection\/books\"]},{\"ResourceType\":\"collection\",\"Resource\":[\"collection\/books\"]}],\"AllowFromPublic\":true}]"回應範例
{ "securityPolicyDetail": { "type": "network", "name": "books-policy", "policyVersion": "MTY2OTI0MDI1Njk1NV8x", "policy": [ { "Rules": [ { "Resource": [ "collection/books" ], "ResourceType": "dashboard" }, { "Resource": [ "collection/books" ], "ResourceType": "collection" } ], "AllowFromPublic": true, "Description": "Public access for books collection" } ], "createdDate": 1669240256955, "lastModifiedDate": 1669240256955 } } -
建立書籍集合:
aws opensearchserverless create-collection --name books --type SEARCH回應範例
{ "createCollectionDetail": { "id": "8kw362bpwg4gx9b2f6e0", "name": "books", "status": "CREATING", "type": "SEARCH", "arn": "arn:aws:aoss:us-east-1:123456789012:collection/8kw362bpwg4gx9b2f6e0", "kmsKeyArn": "auto", "createdDate": 1669240325037, "lastModifiedDate": 1669240325037 } } -
建立資料存取政策,該政策會提供在書籍集合中為資料編製索引和進行搜尋的最低許可。將主體 ARN 取代為步驟 1 中的
TutorialRoleARN:aws opensearchserverless create-access-policy \ --name books-policy \ --type data \ --policy "[{\"Rules\":[{\"ResourceType\":\"index\",\"Resource\":[\"index\/books\/books-index\"],\"Permission\":[\"aoss:CreateIndex\",\"aoss:DescribeIndex\",\"aoss:ReadDocument\",\"aoss:WriteDocument\",\"aoss:UpdateIndex\",\"aoss:DeleteIndex\"]}],\"Principal\":[\"arn:aws:iam::123456789012:role\/TutorialRole\"]}]"回應範例
{ "accessPolicyDetail": { "type": "data", "name": "books-policy", "policyVersion": "MTY2OTI0MDM5NDY1M18x", "policy": [ { "Rules": [ { "Resource": [ "index/books/books-index" ], "Permission": [ "aoss:CreateIndex", "aoss:DescribeIndex", "aoss:ReadDocument", "aoss:WriteDocument", "aoss:UpdateDocument", "aoss:DeleteDocument" ], "ResourceType": "index" } ], "Principal": [ "arn:aws:iam::123456789012:role/TutorialRole" ] } ], "createdDate": 1669240394653, "lastModifiedDate": 1669240394653 } }TutorialRole現在應該能夠在書籍集合中為文件編製索引和進行搜尋。 -
若要呼叫 OpenSearch API,您需要集合端點。傳送下列請求以擷取
collectionEndpoint參數:aws opensearchserverless batch-get-collection --names books回應範例
{ "collectionDetails": [ { "id": "8kw362bpwg4gx9b2f6e0", "name": "books", "status": "ACTIVE", "type": "SEARCH", "description": "", "arn": "arn:aws:aoss:us-east-1:123456789012:collection/8kw362bpwg4gx9b2f6e0", "createdDate": 1665765327107, "collectionEndpoint": "https://8kw362bpwg4gx9b2f6e0.us-east-1.aoss.amazonaws.com", "dashboardEndpoint": "https://8kw362bpwg4gx9b2f6e0.us-east-1.aoss.amazonaws.com/_dashboards" } ], "collectionErrorDetails": [] }注意
在集合狀態變更為 之前,集合端點無法使用
ACTIVE。您可能需要進行多次呼叫來檢查狀態,直到成功建立集合為止。 -
使用 Postman
或 curl 等 HTTP 工具,將資料索引編製為書籍集合。下列範例會建立稱為 books-index 的索引,並新增單一文件。 使用
TutorialRole的憑證,將下列請求傳送至您在上一步擷取的集合端點。PUT https://8kw362bpwg4gx9b2f6e0.us-east-1.aoss.amazonaws.com/books-index/_doc/1 { "title": "The Shining", "author": "Stephen King", "year": 1977 }回應範例
{ "_index" : "books-index", "_id" : "1", "_version" : 1, "result" : "created", "_shards" : { "total" : 0, "successful" : 0, "failed" : 0 }, "_seq_no" : 0, "_primary_term" : 0 } -
若要開始在集合中搜尋資料,請使用搜尋 API
。下列查詢會執行基本搜尋: GET https://8kw362bpwg4gx9b2f6e0.us-east-1.aoss.amazonaws.com/books-index/_search回應範例
{ "took": 405, "timed_out": false, "_shards": { "total": 6, "successful": 6, "skipped": 0, "failed": 0 }, "hits": { "total": { "value": 2, "relation": "eq" }, "max_score": 1.0, "hits": [ { "_index": "books-index:0::3xJq14MBUaOS0wL26UU9:0", "_id": "F_bt4oMBLle5pYmm5q4T", "_score": 1.0, "_source": { "title": "The Shining", "author": "Stephen King", "year": 1977 } } ] } }
