受密码保护的图像文件 [英] Password protected image file

问题描述

我想使用密码保护来创建或更新图像文件.场景是，我们的基础架构团队会将图像文件上传到AWS S3.稍后，我们要使用来自Java的密码来保护该图像文件.密码将自动生成，不会与任何人共享.如果有人尝试直接从AWS S3下载映像，则不应打开该映像.我已经在AWS S3中尝试了服务器端加密

I want to create or update a image file with password protection. Scenario is, our infra team will upload an image file to AWS S3. Later we want to protect this image file with password from java. Password will be auto generated and will not be disclosed with anyone. If any one trying to download the image directly from AWS S3, it should not open. I have tried Server-Side encryption in AWS S3

CopyObjectRequest request = new CopyObjectRequest(bucket, key, bucket, key);
ObjectMetadata objectMetadata = new ObjectMetadata();
objectMetadata.setServerSideEncryption(ObjectMetadata.AES_256_SERVER_SIDE_ENCRYPTION);
request.setNewObjectMetadata(objectMetadata);
s3client.copyObject(request)

但是我仍然可以打开它.还有其他方法吗?

But still i'm able to open it. Is there any other way to do it.

推荐答案

服务器端加密仅加密磁盘上存储的数据.这不是保护数据访问的方法.

Server-Side Encryption merely encrypts the data stored on disk. It is not a method for protecting access to data.

相反，您的要求似乎是:

Rather, it appears that your requirement is:

• 在Amazon S3上存储一些数据(例如图像)，并使其保持私密
• 有选择地允许人们在获得授权后进行下载

• Store some data (eg an image) on Amazon S3 and keep it private
• Selectively allow people to download it if they have been authorized

最合适的解决方案是使用 Amazon S3 Pre-签名的网址.

The most suitable solution would be to use an Amazon S3 Pre-Signed URL.

默认情况下，Amazon S3中的所有对象都是私有的.然后，您可以添加权限，以便其他人可以访问您的对象.这可以通过以下方式完成:

By default, all objects in Amazon S3 are private. You can then add permissions so that people can access your objects. This can be done via:

• 对单个对象的访问控制列表权限
• 存储桶策略(根据路径，IP地址，引荐来源网址等，授予广泛的访问权限)
• IAM用户和组(向具有AWS凭证的用户授予权限)
• 预签名网址

A 预签名URL 可用于授予对S3对象的访问权限，作为覆盖"访问控制的一种方式.通常的私有对象可以通过附加过期时间和签名来通过URL访问.这是无需网络服务器即可提供私人内容的好方法.

A Pre-Signed URL can be used to grant access to S3 objects as a way of "overriding" access controls. A normally private object can be accessed via a URL by appending an expiry time and signature. This is a great way to serve private content without requiring a web server.

适当地认证用户以确定他们是否被允许访问S3中的对象，这是应用程序的职责.如果授予他们访问权限，则您的应用程序应生成预签名的URL作为指向对象的经过身份验证的链接.该URL仅在有限的持续时间内有效.

It would be the responsibility of your application to appropriately authenticate users to determine whether they are allowed access to objects in S3. If they are granted access, then your application should generate a pre-signed URL as an authenticated link to the objects. The URL will only be valid for a limited time duration.

最好通过让后端应用(可能在Amazon EC2或AWS Lambda上运行)执行身份验证，然后生成URL，以达到最佳效果.然后，经过身份验证的用户可以使用预先签名的URL在分配的时间段(例如5分钟)内下载对象.

This is best done by having a back-end app (probably running on Amazon EC2 or AWS Lambda) perform the authentication and then generate the URL. Your authenticated user can then use the pre-signed URL to download the object during the allocated time period (eg 5 minutes).

与使用密码相比，该方法具有多项好处:

This method has several benefits over the use of a password:

• 它(通过您的代码)正确地验证用户，而不是仅仅信任知道密码的任何人
• 它允许您登录访问，因此您知道谁在访问对象
• 您的后端应用程序可以生成带有许多预签名URL 的HTML页面，您的用户只需单击链接即可访问对象，而不必为每个对象提供密码他们希望下载

• It properly authenticates the user (through your code) rather than merely trusting anyone who knows the password
• It allows you to log access, so you know who is accessing the object
• Your back-end app could generate an HTML page willed with many pre-signed URLs and your users could simply click the links to access the objects, rather than having to provide a password for every object they wish to download

这篇关于受密码保护的图像文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！