| « PreviousNext » | |
   | Did this page help you? Yes | No | Tell us about it... |
Configuring Access for an Amazon CloudSearch Domain
Access to a search domain is restricted by IP address so that only authorized hosts can submit documents and send search requests. You can authorize individual IP addresses or address ranges (subnets). IP addresses are specified in the standard Classless Inter-Domain Routing (CIDR) format, for example 10.24.34.0/24 specifies the range 10.24.34.0 - 10.24.34.255, while 10.24.34.0/32 specifies the single IP address 10.24.34.0. For more information about CIDR notation, see RFC 4632. Amazon CloudSearch access policies are specified using the AWS Identity and Access Management (IAM) Access Policy Language.
When you first create a search domain, it will not accept search or document service requests from any IP addresses. You must authorize specific IP addresses or address ranges before you can submit requests to your domain's endpoints through the command line tools or Amazon CloudSearch APIs. After you authorize one or more IP addresses, you can upload documents with the cs-post-sdf command or by sending requests to the documents/batch API. After you upload your documents, you can start submitting search requests.
You can also define access policy rules to deny particular addresses and address ranges. Deny rules take precedence over Allow rules.
Note
IP address authorization is used only to control access to the document and search APIs. The Amazon CloudSearch configuration API uses standard AWS authentication.
If you don't know your computer's IP address, you can go to http://www.whatsmyip.org/ to find out what it is. Keep in mind that if you do not have a static IP address, you must re-authorize your computer whenever your IP address changes. If your IP address is assigned dynamically, it is also likely that you're sharing that address with other computers on your network. This means that when you authorize the IP address, all computers that share it will be able to access your search domain's document and search endpoints.
Note
If you have made changes to your domain that require indexing, changes to the domain's access policies will not take effect until it is re-indexed. If re-indexing is needed, it will be indicated in the response to your update access policies request and shown on the domain dashboard in the console.
You can configure your access policies using the cs-configure-access-policies command, from the Amazon CloudSearch console, or by uploading an IAM policy document with the UpdateServiceAccessPolicies configuration action.
Command Line Tools
You use the cs-configure-access-policies command to configure access to your domain's document and search endpoints. Access to each endpoint is configured separately. You can retrieve your domain's current policy document using the cs-configure-access-policies command by specifying the --retrieve option. For information about installing and setting up the Amazon CloudSearch command line tools, see Amazon CloudSearch Command Line Tool Reference.
To configure access to your domain's document and search endpoints
Run the
cs-configure-access-policiescommand in the--updatemode to create a policy document that allows access to the document and search services. You specify the IP address or address range you want to authorize using the--allowoption. To block specified addresses or address ranges, use the--denyoption. You specify which service(s) you want to configure using the--serviceoption to specify doc, search, or all. For example:cs-configure-access-policies --domain-name movies --update --allow 192.0.2.0 --service all ========================= Standardizing ip: 192.0.2.0; using: 192.0.2.0/32 [movies] Updating access policy: {"Version":"2011-10-11","Id":"34f11d91-88d9-4e15-8ebe-05dffef103c6", "Statement":[{"Sid":"1","Effect":"Allow","Action":"*", "Resource":"arn:aws:cs:us-east-1:598352442322:search/movies", "Condition":{"IpAddress":{"aws:SourceIp":["192.0.2.0/32"]}}}, {"Sid":"2","Effect":"Allow","Action":"*", "Resource":"arn:aws:cs:us-east-1:598352442322:doc/movies", "Condition":{"IpAddress":{"aws:SourceIp":["192.0.2.0/32"]}}}]}Note
The Action name in the policy document is always set to the wildcard character (*). There are no specific action names supported at this time.
When prompted, enter
yto confirm that you want to update the access policies for your domain.Really update access policies for [movies] y/N: y Your access policy update may take a few minutes to complete and its state will change to Active when complete. To check the state, use cs-configure-access-policies --retrieve-policy --service all
The --update option merges the specified policy rules with the existing policy document and uploads the revised policy document to the domain.
AWS Management Console
The Amazon CloudSearch console enables you to easily add access policy rules to authorize or block particular IP addresses or address ranges. The console provides four shortcuts for defining access policy rules:
Recommended rules—enables anyone to search your data, but only you will be able to add and delete documents. Your domain's search endpoint will be reachable from any IP address, but only you will have access to the document endpoint.
Allow only my IP address access to all services—only you will be able to search your data and add and delete documents. Your domain's endpoints will not be reachable from any other IP address.
Allow everyone access to all services—enables anyone to search your data and add and delete documents from your domain. Your domain's endpoints will accessible from any IP address.
Deny everyone access to all services—your domain's document and search endpoints will not be directly accessible. You can only upload documents or submit search requests through the Amazon CloudSearch console.
You can start with one of the shortcuts, and add additional rules to fine-tune access to your domain's endpoints. Deny rules take precedence over allow rules.
Note
When you use the shortcuts, your IP address is automatically detected. If it's not correct or not the address you want to authorize, you can modify it before submitting your changes. You might need to work with your IT department to determine which IP addresses to authorize.
To add access policy rules
Go to the Amazon CloudSearch console at https://console.aws.amazon.com/cloudsearch/home.
In the Navigation panel, click the name of the domain you want to configure, and then click the domain's Access Policies link.
On the domain's Access Policies page, choose one of the shortcuts or enter the IP addresses you want to authorize or block. To add additional IP addresses or address ranges to the rule, click the add (+) icon in the IP Ranges column. To remove an address or range from the rule, click its delete (-) icon in the IP Ranges column. To add a new rule to the policy, click the Add a New Rule button. To remove a rule from the policy, click the remove (x) button in the Remove column.
When you are done making changes to your access policy rules, click Submit. To exit without saving your changes, click Revert.
API
You use the UpdateServiceAccessPolicies configuration action to upload an IAM policy document that defines the access policies for your domain's document and search endpoints.
For example:
https://cloudsearch.us-east-1.amazonaws.com
?AccessPolicies={"Statement": [
{"Effect":"Allow", "Action": "*",
"Resource": "arn:aws:cs:us-east-1:360924696794:search/movies",
"Condition": { "IpAddress": { "aws:SourceIp": ["192.0.2.0/32"] } }},
{"Effect":"Allow", "Action": "*",
"Resource": "arn:aws:cs:us-east-1:360924696794:doc/movies",
"Condition": { "IpAddress": { "aws:SourceIp": ["192.0.2.0/32"] } }}
] }
&Action=UpdateServiceAccessPolicies
&DomainName=movies
&Version=2011-02-01
&X-Amz-Algorithm=AWS4-HMAC-SHA256
&X-Amz-Credential=AKIAIOSFODNN7EXAMPLE/20120330/us-east-1/cloudsearch/aws4_request
&X-Amz-Date=2012-03-30T19:27:45.110Z
&X-Amz-SignedHeaders=host
&X-Amz-Signature=801de749ab11a669925246f3d9454eee1dbc319f3352
3a4eb35a36ec93764e7dNote
For readability, the request is shown without URL-encoding. Keep in mind that Amazon CloudSearch configuration requests must be URL-encoded. Configuration requests are authenticated using your AWS credentials. For more information about signing requests, see Request Authentication.
A policy document for Amazon CloudSearch contains a collection of statements that allow or deny access to the search and document service endpoints based on IP address. Note that the Action name is always set to the wildcard character (*). There are no specific action names supported at this time. You can retrieve your domain's current policy document with the DescribeServiceAccessPolicies action.
Access to each endpoint is configured separately. For example:
{
"Statement":[{
"Effect":"Allow",
"Action":"*",
"Resource":"arn:aws:cs:us-east-1:123456789012:doc/movies",
"Condition":{
"IpAddress":{
"aws:SourceIp":"192.0.2.0/24"
}
}
},
{
"Effect":"Allow",
"Action":"*",
"Resource":"arn:aws:cs:us-east-1:123456789012:search/movies",
"Condition":{
"IpAddress":{
"aws:SourceIp":"192.0.2.0/24"
}
}
}
]
}The Amazon Resource Name (ARN) for a domain's endpoints is of the form:
arn:aws:cs:us-east-1:awsaccountid:service/domain
The service can be either doc or search. The domain is the name of the domain for which you are configuring access. You can get a domain's ARNs with the DescribeDomains configuration action or the cs-describe-domains command. For more information, see Getting Information about an Amazon CloudSearch Domain.
