在GCS存储桶名称中使用project-id有什么风险? [英] What's the risk in using project-id in GCS bucket names?
问题描述
我一直使用project-id作为我的GCS存储桶名称中的前缀来轻松获得唯一名称.当我阅读 GCS最佳做法
它清楚地表明不要使用项目名称或项目编号(与projectId:s无关)但是另一方面,当我启动GAE时,会自动创建两个包含project-id的存储桶.
Google是不是遵循自己的最佳做法,还是我错过了什么?
由于存储桶名称是公开可见的,所以我在存储桶名称中具有projectId的最大风险是我向潜在的攻击者提供有关该项目的线索吗?
在某种程度上,它确实似乎表明Google可能并未遵循其最佳做法(如该页面上所列,假设项目名称和数字表示GCP名称)和数字).置于GCP之上的Firebase项目的默认存储区也是如此.
您链接的文档说明了避免使用项目名称的原因:
...因为任何人都可以探测到桶的存在...
这个想法是,如果有人知道您的项目名称,他们可以使用它来构建存储桶的全名,并在攻击中使用该知识以获得其内容.但是,如果您的安全配置正好是应该的,那么知道存储桶的名称就不会有问题.对于Firebase项目而言尤其如此,该项目使用安全规则来确定谁应该能够访问哪些对象.
为了避免攻击者猜测您的存储桶名称及其任何内容,我会采纳文档中的建议,以作为一种通过模糊处理来确保安全性的措施.但是,如果那不是您关心的问题,那就不要理会.
I've been using project-id as a prefix in my GCS bucket-names to easily get a unique name. When I read GCS-best practises
It says clearly not to use project-names or project-numbers (nothing about projectId:s) But on the other hand, when I spin up GAE, two buckets containing the project-id are automatically created.
Is Google not following their own best practices or did I miss something?
Are the greatest risk of having projectId in bucket name that I give clues to a potential attacker about the project since bucket-names are publicly visible?
It does appear, to some degree, that Google might not be following its best practices (as listed on that page, assuming that project names and numbers mean GCP names and numbers). The default bucket for Firebase projects layered on top of GCP does the same.
The documentation you linked states the reason to avoid using project names:
... because anyone can probe for the existence of a bucket ...
The idea is that if someone knows the name of your project, they could use that to build the full name of the bucket, and use that knowledge in an attack in order to gain its contents. However, if your security configuration is exactly what it should be, then knowing the name of the bucket won't be a problem. This is particularly true for Firebase projects, which use security rules to determine who should be able to access what objects.
I'd take the advice in the documentation as a measure of security through obscurity in order to prevent attackers from guessing the names of your buckets and any of its contents. But if that's not your concern, then ignore it.
这篇关于在GCS存储桶名称中使用project-id有什么风险?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
