jos*_*ezr 7 security amazon-s3 amazon-web-services
我正在使用预先签名的 URL 实现到 S3 的上传,但我对此感到怀疑。
根据S3:PutObject 文档,为了指定 SSE KMS 加密,我需要指定两者:
x-amz-server-side-encryption: aws:kmsx-amz-server-side-encryption-aws-kms-key-id: SSEKMSKeyId特别是后一个被记录为:
此标头指定 AWS Key Management Service 的 ID
在我当前的用例中,由于我正在处理跨账户存储桶访问,因此值x-amz-server-side-encryption-aws-kms-key-id 必须是完整的 ARN。
我一直将任何内部标识符视为秘密,但这篇文档提出了以下问题:
作为额外(也许)有用的信息,我在调试模式下为此操作运行了等效的 AWSCLI 命令,这是完整输出的片段:
2021-07-01 21:38:05,165 - ThreadPoolExecutor-0_0 - botocore.utils - DEBUG - Checking for DNS compatible bucket for: https://s3.%REGION%.amazonaws.com/%BUCKET_NAME%/sample_file.bin.2
2021-07-01 21:38:05,165 - ThreadPoolExecutor-0_0 - botocore.utils - DEBUG - Not changing URI, bucket is not DNS compatible: %BUCKET_NAME%
2021-07-01 21:38:05,166 - ThreadPoolExecutor-0_0 - botocore.auth - DEBUG - Calculating signature using v4 auth.
2021-07-01 21:38:05,166 - ThreadPoolExecutor-0_0 - botocore.auth - DEBUG - CanonicalRequest:
PUT /%BUCKET_NAME%/sample_file.bin.2
content-md5:XXXXXoXNw5aXreJi4EOxA==
content-type:application/octet-stream
host:s3.%REGION%.amazonaws.com
x-amz-acl:bucket-owner-full-control
x-amz-content-sha256:UNSIGNED-PAYLOAD
x-amz-date:%DATE%T193805Z
x-amz-server-side-encryption:aws:kms
x-amz-server-side-encryption-aws-kms-key-id:arn:aws:kms:%REGION:%ACCOUNT_NUMBER%:key/%KEY_ID%
content-md5;content-type;host;x-amz-acl;x-amz-content-sha256;x-amz-date;x-amz-server-side-encryption;x-amz-server-side-encryption-aws-kms-key-id
UNSIGNED-PAYLOAD
2021-07-01 21:38:05,166 - ThreadPoolExecutor-0_0 - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
%DATE%T193805Z
%DATE%/%REGION%/s3/aws4_request
XXXXXXbdbe72de054b86a2ab9043d29132a37c10498546743fff9b941a325f89
2021-07-01 21:38:05,166 - ThreadPoolExecutor-0_0 - botocore.auth - DEBUG - Signature:
XXXXXXabd40e652756b2dfbc39a0b6c8f2a93fac6f6c8d0140829fb015ccad65
2021-07-01 21:38:05,166 - ThreadPoolExecutor-0_0 - botocore.hooks - DEBUG - Event request-created.s3.PutObject: calling handler <function signal_transferring at 0x7fc79472ebf8>
2021-07-01 21:38:05,166 - ThreadPoolExecutor-0_0 - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=PUT, url=https://s3.%REGION%.amazonaws.com/%BUCKET_NAME%/sample_file.bin.2, headers={'x-amz-acl': b'bucket-owner-full-control', 'x-amz-server-side-encryption': b'aws:kms', 'x-amz-server-side-encryption-aws-kms-key-id': b'arn:aws:kms:%REGION:%ACCOUNT_NUMBER%:key/%KEY_ID%', 'Content-Type': b'application/octet-stream', 'User-Agent': b'aws-cli/1.16.261 Python/3.6.12 Linux/5.3.18-lp152.60-preempt botocore/1.15.38', 'Content-MD5': b'7XXXXXXNw5aXreJi4EOxA==', 'Expect': b'100-continue', 'X-Amz-Date': b'%DATE%T193805Z', 'X-Amz-Content-SHA256': b'UNSIGNED-PAYLOAD', 'Authorization': b'AWS4-HMAC-SHA256 Credential=XXXXXXXXXXXX/%DATE%/%REGION%/s3/aws4_request, SignedHeaders=content-md5;content-type;host;x-amz-acl;x-amz-content-sha256;x-amz-date;x-amz-server-side-encryption;x-amz-server-side-encryption-aws-kms-key-id, Signature=XXXXXXabd40e652756b2dfbc39a0b6c8f2a93fac6f6c8d0140829fb015ccad65', 'Content-Length': '1048576'}>
我可以在标头中看到完整的 KMS ID...
PS:我已经编辑了大部分元数据和标识符
这绝对不是秘密。虽然我不会在街角分发我的 ARN,但它们可以安全地在标头等中使用。
第三方可以使用泄露的 ARN 来尝试对您的资源执行操作,但由于它们存在于资源的信任区域之外,因此默认情况下会被拒绝。更改此情况的唯一方法是部署资源策略,明确向资源区域之外的主体授予访问权限。
在这种情况下,您尝试授予的主体s3:PutObject将需要知道指定用于加密的适当密钥名称/别名,否则您最终将在存储桶中获得无法解密的对象。
| 归档时间: |
|
| 查看次数: |
1786 次 |
| 最近记录: |