堆栈内存溢出
  简体   繁体   English

如何使用IAM和CORS正确保护S3?

[英]How to Properly Secure S3 with IAM and CORS?

 原文  2016-01-27 21:53:26       security/ amazon-s3/ localhost/ cors/ amazon-iam

问题描述

I've figured out how to set up CORS and IAM so I post images to and display images from S3. 我已经弄清楚了如何设置CORS和IAM,所以我将图像发布到S3并从中显示图像。 I have two main issues. 我有两个主要问题。

  1. What I have seems insecure because from my understanding of what I have, anyone could access it. 我所拥有的似乎是不安全的,因为从我对自己所拥有的知识的理解来看,任何人都可以访问它。
  2. If I secure it, I can no longer test properly on localhost. 如果我保护了它,就无法在localhost上进行正确的测试。 And I don't have the option of setting it to be accessible on localhost from a work network because we're all remote. 而且我没有选择将其设置为可通过工作网络在localhost上访问的选项,因为我们都处于远程状态。

Policy 政策 

    {"Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:PutObjectAcl",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ]
        },
        {
            "Sid": "read only policy",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket-name/*"
        }
    ]}

CORS CORS 

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>POST</AllowedMethod>
        <AllowedMethod>PUT</AllowedMethod>
        <AllowedMethod>HEAD</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

So, how do I secure my configurations while still allowing development from localhost? 那么,如何在保护配置的同时仍允许从本地主机进行开发?

Will using "Condition": {"StringLike": {"aws:Referer": [ ... ]}} prevent access from localhost? 是否将使用"Condition": {"StringLike": {"aws:Referer": [ ... ]}}阻止从本地主机访问?

1 个解决方案

解决方案1
 0  2016-01-27 22:16:04

You can lock down the S3 bucket without using the Referer tag. 您可以不使用Referer标签锁定S3存储桶。 It is probably more secure to use it after testing is complete. 测试完成后使用它可能更安全。

In the AWS S3 console, you can grant permissions to access the bucket to yourself. 在AWS S3控制台中,您可以向自己授予访问存储桶的权限。 As long as the Grantee does not say 'Everyone', everyone does not have access to the bucket. 只要受赠方不说“所有人”,每个人都无法访问存储桶。

You can then generate an IAM access key for yourself in IAM > Users > 'user_name'. 然后,您可以在IAM>用户>'user_name'中为自己生成一个IAM访问密钥。 This key can be used to authenticate with the bucket. 该密钥可用于对存储桶进行身份验证。
You will also want to grant the user the AmazonS3FullAccess by attaching it as a policy. 您还将希望通过将其附加为策略来授予用户AmazonS3FullAccess。

You should be able to use the user's credentials that you just generated to access and modify files in S3. 您应该能够使用刚刚生成的用户凭据来访问和修改S3中的文件。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何保护Amazon S3 URL - How to secure an Amazon S3 URL AWS S3中的预签名URL有多安全? - How secure are presigned URLs in AWS S3? 如何确保用户敏感数据的S3下载安全? - How to secure S3 download for user sensitve data? 如何保护我的 Amazon S3 存储桶 - How Do I Secure My Amazon S3 Buckets 如何获取 S3 安全访问表单应用程序? - How to get S3 Secure Access form Application? 从iPhone调用Amazon S3服务有多安全? - How secure is it to call Amazon S3 Services from an iPhone? 在S3上发送“安全”财务报表 - Sending 'secure' financial statements on S3 安全的AWS S3文件网址 - Secure AWS S3 file urls 如何正确保护对网站的访问 - how to properly secure access to a site 如何在AngularJS中正确保护密码 - How to properly secure password in AngularJS
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM