文件被覆盖或删除时的S3通知 [英] S3 notification when file is overwritten, or deleted

问题描述

由于我们将日志文件存储在S3上，并且为了满足PCI要求，当有人篡改日志文件时，我们必须得到通知.

since we store our log files on S3 and to meet PCI requirements we have to be notified when someone tampers with the log files.

每次放置替换现有对象的放置请求或删除现有对象时，如何通知我.如果创建了新对象，则警报不会触发，除非它将替换现有对象.

How can I be notified every time a put request is placed that replaces an existing object, or when an existing object is delete. The alert should not fire if a new object is created unless it replaces an existing one.

推荐答案

S3当前不提供删除或仅覆盖通知.删除通知在首次启动通知功能，并且可以在删除对象时通知您，但是在通过覆盖隐式删除on对象时不会通知您.

S3 does not currently provide deletion or overwrite-only notifications. Deletion notifications were added after the initial launch of the notification feature and can notify you when an object is deleted, but does not notify you when on object is implicitly deleted by overwrite.

但是，S3确实具有完成所需功能的能力，其方式似乎比您正在考虑的要好:对象版本控制和删除的多因素身份验证，均在此处进行了讨论:

However, S3 does have functionality to accomplish what you need, in a way that seems superior to what you are contemplating: object versioning and multi-factor authentication for deletion, both discussed here:

http://docs.aws.amazon.com/AmazonS3/Latest/dev/Versioning.html

在存储桶上启用版本控制后，文件覆盖不会删除该文件的旧版本.相反，文件的每个版本都有一个由S3分配的不透明字符串，用于标识版本ID.

With versioning enabled on the bucket, an overwrite of a file doesn't remove the old version of the file. Instead, each version of the file has an opaque string, assigned by S3, identifying the Version ID.

如果有人覆盖文件，则存储桶中将有同一个文件的两个版本-原始版本和新版本-因此，您不仅有篡改的证据，而且还拥有不受干扰的原始文件.根据定义，存储桶中具有多个版本的任何对象都已被覆盖.

If someone overwrites a file, you would then have two versions of the same file in the bucket -- the original one and the new one -- so you not only have evidence of tampering, you also have the original file, undisturbed. Any object with more than one version in the bucket has, by definition, been overwritten at some point.

如果您还启用了多重身份验证(MFA)删除，则在不访问硬件或虚拟MFA设备的情况下，无法删除任何对象的任何版本.

If you also enable Multi-Factor Authentication (MFA) Delete, then none of the versions of any object can be removed without access to the hardware or virtual MFA device.

作为AWS实用程序，工具和库的开发者(第三方；我不隶属于Amazon)，我对Amazon在S3中实现对象版本控制印象深刻，因为它以客户端实用程序的方式工作不知道版本控制或在存储桶上启用了版本控制的文件不应受到任何影响.这意味着您应该能够在存储桶上激活版本控制，而无需更改现有代码中的任何内容.例如:

As an developer of AWS utilities, tools, and libraries (3rd party; I'm not affiliated with Amazon), I am highly impressed by Amazon's implementation of object versioning in S3, because it works in such a way that client utilities that are unaware of versioning or that versioning is enabled on the bucket should not be affected in any way. This means you should be able to activate versioning on a bucket without changing anything in your existing code. For example:

• 在请求中获取没有随附版本ID的对象只是获取对象的最新版本

• fetching an object without an accompanying version id in the request simply fetches the newest version of the object

个对象.但是，您仍然可以删除对象"，并获得预期的响应.随后，在未指定随附版本ID的情况下获取已删除"对象仍会返回404 Not Found(如在非版本环境中一样)，并且在响应中添加了不引人注目的x-amz-delete-marker:标头，以指示最新版本"实际上，该对象的删除标记占位符.除非清除，否则已删除"对象的各个版本仍可用于版本识别代码.

objects in versioned buckets aren't really deleted unless you explicitly delete a particular version; however, you can still "delete an object," and get the expected response back. Subsequently fetching the "deleted" object without specifying an accompanying version id still returns a 404 Not Found, as in the non-versioned environment, with the addition of an unobtrusive x-amz-delete-marker: header included in the response to indicate that the "latest version" of the object is in fact a delete marker placeholder. The individual versions of the "deleted" object remain accessible to version-aware code, unless purged.

与版本无关的其他操作(适用于非版本存储桶)将继续与在存储桶上启用版本控制之前的操作相同.

other operations that are unrelated to versioning, which work on non-versioned buckets, continue to work the same way they did before versioning was enabled on the bucket.

但是，再次...使用具有版本识别能力的代码，包括AWS控制台(当您查看版本存储桶时，会出现两个新按钮-您可以选择使用具有版本控制控制台视图来查看它或不知道版本控制的控制台视图)，您可以遍历对象的不同版本，并获取尚未永久删除的任何版本...但是，防止MFA删除是防止对象未经授权删除的原因.

But, again... with code that is version-aware, including the AWS console (two new buttons appear when you're looking at a versioned bucket -- you can choose to view it with a versioning-aware console view or versioning-unaware console view) you can iterate through the different versions of an object and fetch any version that has not been permanently removed... but preventing unauthorized removal of objects is the point of MFA delete.

此外，当然还有存储桶记录，通常仅比实时延迟了几分钟，可用于检测异常活动...历史记录将由存储桶版本控制保留.

Additionally, of course, there's bucket logging, which is typically only delayed by a few minutes from real-time and could be used to detect unusual activity... the history of which would be preserved by the bucket versioning.

这篇关于文件被覆盖或删除时的S3通知的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！