Adding Custom Annotations or Metadata to AWS access policy

30 views Asked by At

I currently have an access policy for an Elasticsearch domain that looks like the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:ES_DOMAIN_HERE/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "**.**.***.***",
            "**.***.***.***",
            "**.***.***.**",
            "***.***.***.**",
            ...
          ]
        }
      }
    }
  ]
}

It is a pain to remember what each of the white listed IPs are for, and maintaining the list of IPs would be much easier if I could annotate the policy with a description of the IP. I imagine something like the below:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:ES_DOMAIN_HERE/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "**.**.***.***",
            "**.***.***.***",
            "**.***.***.**",
            "***.***.***.**",
            ...
          ]
        }
      },
      "meta": {
        "IpAddress": {
            "**.**.***.***" : "INACTIVE - Test Server",
            "**.***.***.***" : "General Server",
            "**.***.***.**" : "Main Office",
            "***.***.***.**" : "Remote Server",
            ...
        }
      }
    }
  ]
}

How do I add annotations or metadata to my access policy?

1

There are 1 answers

0
sudo On

As of now there is no policy element available which you will serve your purpose. You may consider to refer or add some information in the Sid element in your policy but that will not be enough what you are looking for.

http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html