使用Amazon TVM代替常规的AccessKey / SecretKey
[英]Using Amazon TVM instead of a regular AccessKey/SecretKey
问题描述
I am building an Android application that will send reports to a server. 
我正在构建一个Android应用程序,它将报告发送到服务器。 These reports are plain JSON files stored on Amazon S3. 这些报告是存储在Amazon S3上的普通JSON文件。 The Amazon user only has the PutObject permission on a specific S3 bucket. Amazon用户仅对特定的S3存储桶具有PutObject权限。
The documentation states that we should use the Token Vending Machine mechanism instead of hardcoded keys within the application. 文档指出,我们应该在应用程序中使用令牌自动售货机机制,而不是硬编码的密钥。
I cannot see the advantage of this method. 我看不到这种方法的优势。 I get that a hacker could decompile my app to find the keys. 我知道黑客可以反编译我的应用程序以找到密钥。 But his only choice then is to send files to the bucket, nothing else (no file listing, no file retrieval). 但是,他唯一的选择是将文件发送到存储桶,除此之外没有其他选择(没有文件列表,没有文件检索)。
If I use the anonymous TVM, the process is: 如果我使用匿名TVM,则过程为:
- Get a token valid for 24 hours 获取有效期为24小时的令牌
- Use this token to send files to the bucket 使用此令牌将文件发送到存储桶
A hacker could also call the TVM server to request unlimited tokens and send files to my bucket. 黑客还可以致电TVM服务器以请求无限令牌并将文件发送到我的存储桶。 It does not seem to solve this problem. 它似乎无法解决此问题。
What is the real advantage in using TVM? 使用TVM的真正优势是什么?
1 个解决方案
解决方案1
0 已采纳 2011-11-30 02:09:24
You can attach different authorizations to each mobile UID, giving your finer control over what you allow people to access. 您可以为每个移动UID附加不同的授权,从而更好地控制您允许人们访问的内容。 You can also control how much AWS access the TVM has using policies. 您还可以使用策略控制TVM对AWS的访问量。 You can also stop it any given time. 您也可以在任何给定时间停止它。 If they get your keys, you will have to disable the whole account. 如果他们得到了您的钥匙,您将不得不禁用整个帐户。 If you are OK with that, you probably don't need to use the TVM. 如果您对此表示满意,则可能不需要使用TVM。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.