Control Elasticsearch Access Securely via RAM User Permissions - Elasticsearch

To let team members — such as O&M, development, or data analytics personnel — access your Alibaba Cloud Elasticsearch cluster, attach the appropriate policy to each RAM user. You can also create user groups and attach policies at the group level to manage permissions in bulk.

Policies

RAM policies fall into two categories:

System policies: Predefined by Alibaba Cloud. You can use them but cannot modify them. Use system policies as a starting point, and switch to custom policies when you need finer-grained control.

Policy name	Access level	Attach to
`AliyunElasticsearchReadOnlyAccess`	Read-only on Elasticsearch or Logstash clusters	Read-only users
`AliyunElasticsearchFullAccess`	Full management of Elasticsearch clusters, Logstash clusters, or Beats shippers	Administrators

Custom policies: Policies you create and manage. Use custom policies when system policies are too broad for your use case. For more information, see Create a custom policy.

For more information about RAM, see What is RAM?

Prerequisites

Before you begin, ensure that you have:

A RAM user. See Create a RAM user

Grant permissions to a RAM user

Log on to the RAM console as a RAM administrator.
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user and click Add Permissions in the Actions column. To grant permissions to multiple users at once, select them and click Add Permissions at the bottom of the page.
In the Grant Permission panel, configure the following parameters:
1. Resource Scope: Select the scope for the authorization.
  - Account: The authorization applies to the current Alibaba Cloud account.
  - Resource Group: The authorization applies to a specific resource group. > Important: If you select Resource Group, make sure the cloud service supports resource groups. See Services that work with Resource Group. For an example of granting resource group permissions, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
2. Principal: The RAM user to grant permissions to. The current RAM user is selected automatically.
3. Policy: Select one or more policies to attach. Policies are classified as system policies or custom policies.
  - System policies: Created by Alibaba Cloud. You can use but cannot modify them. Alibaba Cloud maintains version updates. See Services that work with RAM. > Note: The system automatically identifies high-risk system policies such as AdministratorAccess and AliyunRAMFullAccess. Avoid attaching these unless strictly necessary.
  - Custom policies: Policies you manage. You can create, update, and delete them. See Create a custom policy.
4. Click Grant permissions.
Click Close.

Permissions take effect immediately. The RAM user can now log on to the Elasticsearch console and perform the authorized operations.

What's next

To revoke permissions when a RAM user no longer needs access, see Revoke permissions from a RAM user.
For a full overview of granting permissions to RAM users, see Grant permissions to RAM users.