AWS S3中的预签名URL有多安全?
[英]How secure are presigned URLs in AWS S3?
问题描述
I am planning to redirect users to presigned URLs of sensitive resources stored in S3. 
我打算将用户重定向到存储在S3中的敏感资源的预签名URL。 These get generated after checking the user's rights and have aggressive timeouts (30 secs). 这些是在检查用户权限后产生的,并且具有激进的超时(30秒)。 My worry however is whether it would be possible by some malware that is present on my client's machine to capture the url and still download the file within the expire time of the URL. 但我担心的是,我的客户端计算机上的某些恶意软件是否可能捕获该URL并仍然在URL的过期时间内下载该文件。 Or Am I just being too paranoid? 或者我只是太偏执了?
If this has been answered before, please point me in that direction. 如果之前已经回答过,请指出我的方向。 Appreciate your help. 感谢您的帮助。
3 个解决方案
解决方案1
4 2013-06-21 03:33:06
Anyone who obtains the URL before expiry can use it to access the data. 在到期前获得URL的任何人都可以使用它来访问数据。 S3 supports bucket policies that limit the IP addresses that are allowed access to data: S3支持限制允许访问数据的IP地址的存储桶策略:
http://docs.aws.amazon.com/AmazonS3/latest/dev/AccessPolicyLanguage_UseCases_s3_a.html http://docs.aws.amazon.com/AmazonS3/latest/dev/AccessPolicyLanguage_UseCases_s3_a.html
However in this case you are worried about malware on the client machine. 但是,在这种情况下,您担心客户端计算机上的恶意软件。 So that wouldn't help. 所以这没有用。 Have you considered encrypting the data such that only the client process can decrypt it? 您是否考虑过加密数据,以便只有客户端进程可以解密它?
You're still vulnerable to an insecure/careless client leaking the data somehow. 您仍然容易受到不安全/粗心的客户端泄漏数据的影响。
解决方案2
2 已采纳 2013-07-03 10:27:09
I found this - http://docs.aws.amazon.com/AmazonS3/latest/dev/AuthUsingTempFederationTokenRuby.html and gave it a try. 我发现了这个 - http://docs.aws.amazon.com/AmazonS3/latest/dev/AuthUsingTempFederationTokenRuby.html并尝试了一下。 It seems to works. 它似乎有效。 Paraphrasing the code from the doc - 从文档中解释代码 -
# Start a session with restricted permissions.
sts = AWS::STS.new()
policy = AWS::STS::Policy.new
policy.allow(
:actions => ["s3:ListBucket"],
:resources => "arn:aws:s3:::#{bucket_name}"
).condition.add(:like, :referer, "domain.com")
session = sts.new_federated_session(
'User1',
:policy => policy,
:duration => 2*60*60)
So the policy that we create can have originating IP address from which the client downloads or/and may be the aws:Referer field set to my app's domain. 因此,我们创建的策略可以具有客户端下载的原始IP地址,或者可以是设置为我的应用程序域的aws:Referer字段。 I think this provides atleast one level of obstruction to your resource. 我认为这至少会对您的资源造成一定程度的阻碍。 I get that, the IP address or the referer can easily be spoofed. 我知道,IP地址或引用者很容易被欺骗。 But its better than not having any protection at all. 但它比没有任何保护更好。
解决方案3
0 2018-11-22 10:02:20
In browser, the Web Cryptography API could be used to encrypt/decrypt the content, shared via a pre-signed S3 url, to ensure it remains private. 在浏览器中, Web Cryptography API可用于加密/解密内容,通过预先签名的S3 URL共享,以确保它保持私密。
As of today, the API is in experimental stage, but supported by every modern browsers . 截至今天,API处于试验阶段,但每个现代浏览器都支持 。
By using this API a private/public keypair can be generated in the browser. 通过使用此API,可以在浏览器中生成私有/公共密钥对。 The private key should be stored in local storage and the public key should be sent to a lambda function. 私钥应存储在本地存储中,公钥应发送到lambda函数。 When we request the S3 content, we have to go to the lambda function first. 当我们请求S3内容时,我们必须首先转到lambda函数。 The lambda function encrypts the content we want to share with the public key, stores it in S3 bucket and shares the encrypted object with a pre-signed URL. lambda函数使用公钥加密我们想要共享的内容,将其存储在S3存储桶中,并使用预先签名的URL共享加密对象。
By this method the content in the object remains private, even if somebody unpreveleged has the pre-signed URL. 通过这种方法,对象中的内容保持私有,即使有人未预先获得预先签名的URL。
No tried, but Amazon S3 service supports encryption with your own key . 没有尝试,但Amazon S3服务支持使用您自己的密钥加密 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.