亚马逊S3服务器端加密桶政策问题 [英] Amazon S3 Server Side Encryption Bucket Policy problems

问题描述

我使用的是拒绝所有非SSL通信和UnEncryptedObjectUploads桶政策。

I am using a bucket policy that denies any non-SSL communications and UnEncryptedObjectUploads.

"Version": "2012-10-17",
"Id": "Policy1361300844915",
"Statement": [

      {
        "Sid": "DenyUnSecureCommunications",


        "Effect": "Deny",
        "Principal": {"AWS": "*"},
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::my-bucket",
        "Condition": {"Bool":{"aws:SecureTransport": false}}
    },


       {
                    "Sid":"DenyUnEncryptedObjectUploads",

        "Effect":"Deny",
            "Principal":{"AWS":"*"},

            "Action":"s3:PutObject",
            "Resource":"arn:aws:s3:::my-bucket/*",
            "Condition":{
                "StringNotEquals":{"s3:x-amz-server-side-encryption":"AES256"}}
    }


]

}

本政策适用于支持SSL和SSE设置，但只对正在上传的对象的应用程序。

This policy works for applications that support SSL and SSE settings but only for the objects being uploaded.

我遇到了这些问题：

1. 莓Explorer和S3浏览器未能在文件夹和文件重命名与政策斗桶。当我在水桶政策只适用于SSL要求，这些浏览器成功完成了文件/文件夹重命名。

莓资源管理器能够重命名对象的完整的SSL / SSE桶政策后，才在选项中启用 - 亚马逊S3复制/移动通过在本地计算机（慢和花费金钱）

CloudBerry Explorer was able to RENAME objects with the full SSL/SSE bucket policy only after I enabled in Options – Amazon S3 Copy/Move through the local computer (slower and costs money).

所有的复制/移动内部Amazon S3的原因是，限制性的政策失败了。

All copy/move inside Amazon S3 failed due to that restrictive policy.

这意味着，我们无法控制未起源于操纵本地对象的应用程序复制/移动过程。至少上述莓选项证明了。

That means that we cannot control copy/move process that is not originated from the application that manipulates local objects. At least above mentioned CloudBerry Options proved that.

不过，我可能是错的，这就是为什么我张贴了这个问题。

But I might be wrong, that is why I am posting this question.

1. 在我的情况下，与政策斗启用，S3管理控制台变得无用。用户无法创建文件夹，删除它们，他们可以只上传文件。

是不是有什么毛病我斗的政策？我不知道使用对象的操作这些Amazon S3的机制。

Is there something wrong with my bucket policy? I do not know those Amazon S3 mechanisms that used for objects manipulating.

是否Amazon S3的处理外部请求（API / HTTP头）和内部的要求不同？

Does Amazon S3 treat external requests (API/http headers) and internal requests differently?

是否有可能这个政策只适用于上传，而不是内部的Amazon S3 GET / PUT等..？我曾尝试HTTP引用与斗URL无济于事。

Is it possible to apply this policy only to the uploads and not to internal Amazon S3 GET/PUT etc..? I have tried http referer with the bucket URL to no avail.

使用SSL / SSE要求桶政策是强制我的实现。

The bucket policy with SSL/SSE requirements is a mandatory for my implementation.

任何想法，将AP preciated。

Any ideas would be appreciated.

感谢你在前进。

推荐答案

恕我直言，有没有办法自动告诉亚马逊S3打开SSE，每PUT请求。 所以，我将调查如下：

IMHO There is no way to automatically tell Amazon S3 to turn on SSE for every PUT requests. So, what I would investigate is the following :

• 编写一个脚本，列出你的水桶

• write a script that list your bucket

对于每个对象，获取元数据

for each object, get the meta data

如果未启用SSE，使用PUT COPY API（的 http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectCOPY.html ）添加SSE （...）当复制一个对象，你可以preserve大部分的元数据（默认）或指定新的元数据（......）

if SSE is not enabled, use the PUT COPY API (http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectCOPY.html) to add SSE "(...) When copying an object, you can preserve most of the metadata (default) or specify new metadata (...)"

如果该PUT操作成功，使用DELETE对象API删除原来的对象

If the PUT operation succeeded, use the DELETE object API to delete the original object

然后每小时或每天运行该脚本，根据您的业务需求。 您可以使用S3 API在Python（ http://boto.readthedocs.org/en /latest/ref/s3.html ），使之更容易编写脚本。

Then run that script on an hourly or daily basis, depending on your business requirements. You can use S3 API in Python (http://boto.readthedocs.org/en/latest/ref/s3.html) to make it easier to write the script.

如果这个改变后写的解决方案不适用于你的商业智慧，你可以在不同的层次上工作

If this "change-after-write" solution is not valid for you business wise, you can work at different level

• 使用代理您的API客户端和S3 API（如您的网站的反向代理）之间，并将其配置添加上证所HTTP标头为每个PUT / POST请求。 开发者必须通过代理服务器，而不是被授权发出对S3 A​​PI端点请求

• use a proxy between your API client and S3 API (like a reverse proxy on your site), and configure it to add the SSE HTTP header for every PUT / POST requests. Developer must go through the proxy and not be authorised to issue requests against S3 API endpoints

写一个包装库自动添加上证所元数据，并迫使开发者使用你的库在SDK之上。

write a wrapper library to add the SSE meta data automatically and oblige developer to use your library on top of the SDK.

在今天晚些时候有纪律问题的组织，因为它是不容易执行他们在技术层面上。

The later today are a matter of discipline in the organisation, as it is not easy to enforce them at a technical level.

勒布

这篇关于亚马逊S3服务器端加密桶政策问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！