堆栈内存溢出
  简体   繁体   English

AWS S3签名URL作为超链接的安全性

[英]AWS S3 The security of a signed URL as a hyperlink

 原文  2015-06-03 02:09:22       security/ hyperlink/ amazon-s3/ download

问题描述

Is this safe? 这样安全吗? Maintaining security using a pre-signed url with AWS S3 Bucket object? 使用带有AWS S3 Bucket对象的预签名URL维护安全性? 

<a href="https://mywebsite.s3.amazonaws.com/40.pdf?AWSAccessKeyId=[my access key]&Expires=1433297453&Signature=[this random set of numbers]">my link</a>

Another words - part 1... 另一个词 - 第1部分......

say I'm storing a bunch of separate individual's files in a bucket. 说我在存储桶中存储了一堆独立的个人文件。 I want to provide a link to a file for a user. 我想为用户提供文件的链接。 Obviously, each file is uniquely but consecutively named, I don't want people to be able to change the link from 40.pdf to 30.pdf and get a different file. 显然,每个文件都是唯一但连续命名的,我不希望人们能够将链接从40.pdf更改为30.pdf并获取不同的文件。 This URL seems to do that. 这个URL似乎是这样做的。

part 2, and more importantly.... 第2部分,更重要的是......

Is this safe or is a it dangerous method of displaying a URL in terms of the security of my bucket? 这是安全的还是在我的存储桶的安全性方面显示URL的危险方法? Clearly, i will be giving away my "access key" here, but of course, not my "secret". 很明显,我会在这里放弃我的“访问密钥”,当然,不是我的“秘密”。

Already answered 3 years ago... sorry. 3年前已经回答了...抱歉。 How secure are Amazon AWS Access keys? Amazon AWS Access密钥的安全性如何?

1 个解决方案

解决方案1
 15 已采纳  2015-06-04 08:22:55

AWS Security Credentials are used when making API calls to AWS. 在对AWS进行API调用时使用AWS Security Credentials。 They consist of two components: 它们由两部分组成:

  • Access Key (eg AKIAISEMTXNOG4ABPC6Q ): This is similar to a username. 访问密钥 (例如AKIAISEMTXNOG4ABPC6Q ):这类似于用户名。 It is okay for people to see it. 人们可以看到它。
  • Secret Key : This is a long string of random characters that is a shared secret between you and AWS. 密钥 :这是一长串随机字符,是您和AWS之间的共享密钥 When making API calls, the SDK uses the shared secret to 'sign' your API calls. 在进行API调用时,SDK会使用共享密钥“签署”您的API调用。 This is a one-way hash, so people cannot reverse-engineer your secret key. 这是单向哈希,因此人们无法对您的密钥进行反向工程。 The secret key should be kept private. 密钥应该保密。

A Signed URL is a method of granting time-limited access to an S3 object. 签名URL是一种授予对S3对象的时间限制访问权限的方法。 The URL contains the Access Key and a Signature, which is a one-way hash calculated from the object, expiry time and the Secret Key. URL包含访问密钥和签名,签名是从对象,到期时间和密钥计算的单向哈希。

A Signed URL is safe because: 签名URL是安全的,因为:

  • It is valid for only a limited time period that you specify 它仅在您指定的有限时间段内有效
  • It is valid only for the Amazon S3 object that you specify 它仅对您指定的Amazon S3对象有效
  • It cannot be used to retrieve a different object nor can the time period be modified (because it would invalidate the signature) 它不能用于检索不同的对象,也不能修改时间段(因为它会使签名无效)

However, anyone can use the URL during the valid time period. 但是, 任何人都可以在有效时间段内使用该URL。 So, if somebody Tweets the URL, many people could potentially access the object until the expiry time. 因此,如果某人发布了URL,许多人可能会在到期时间之前访问该对象。 This potential security threat should be weighed against the benefit of serving traffic directly from Amazon S3 rather than having to run your own web servers. 应该权衡这种潜在的安全威胁,直接从Amazon S3提供流量,而不必运行自己的Web服务器。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何创建签名的 S3 url - How to create a signed S3 url 从 AWS Firehouse 到 S3 的数据安全性 - Security in data from AWS Firehouse to S3 在Web App中公开AWS S3签名URL? - Exposing AWS S3 Signed URLs in Web App? 提供私人内容:S3签名URL与CloudFront签名URL - Serving Private Content: S3 Signed URL vs CloudFront Signed URL 如何在没有安全漏洞的情况下使用 AWS S3 凭证? - How to use AWS S3 credentials without security vulnerability? AWS 私有 S3 存储桶可从经过身份验证的 URL - AWS private S3 bucket available from authenticated URL 如何为在S3中上传的文件启用AWS-S3-安全策略 - How to enable AWS-S3-security policy for files uploaded in S3 每桶的Amazon S3安全凭证 - Amazon S3 security credentials per bucket 带有随机密钥的公共S3对象的安全性 - Security of public S3 objects with random keys 直接将浏览器上传到S3中的安全性问题 - Security concern in direct browser uploads to S3
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM