AWS access policy to allow access from an IP address or an IAM user

Question

I am using AWS Elasticsearch and I need to setup an access policy to allow access from fixed IP to access the Kibana and the web interface. I also want to allow a specific user access key to be able to access it from any IP, as the records will be inserted from our servers.

So it boils down to create a policy where I need an or relation between IP and ARN.

Here is how my IP policy looks like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-west-2:xxxxxx:domain/xxxx-xxxx-xxx/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "xxx.xx.xx.173"
        }
      }
    }
  ]
}

and here is how my ARN policy looks like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::xxxxxxxxx:user/xxxx"
        ]
      },
      "Action": [
        "es:*"
      ],
      "Resource": "arn:aws:es:us-west-2:xxxxxxxxx:domain/xxxxxxxxxxxxxxxx/*"
    }
  ]
}

How can I get an or relation between them?

Answer 1

If I'm understanding your question properly you should be able to achieve what you want by adding the two statement objects into the statement array like:

 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-west-2:xxxxxx:domain/xxxx-xxxx-xxx/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "xxx.xx.xx.173"
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::xxxxxxxxx:user/xxxx"
        ]
      },
      "Action": [
        "es:*"
      ],
      "Resource": "arn:aws:es:us-west-2:xxxxxxxxx:domain/xxxxxxxxxxxxxxxx/*"
    }
  ]
}