AWS S3 作为超链接的签名 URL 的安全性 [英] AWS S3 The security of a signed URL as a hyperlink

问题描述

这样安全吗?使用带有 AWS S3 Bucket 对象的预签名 url 来维护安全性?

Is this safe? Maintaining security using a pre-signed url with AWS S3 Bucket object?

<a href="https://mywebsite.s3.amazonaws.com/40.pdf?AWSAccessKeyId=[my access key]&Expires=1433297453&Signature=[this random set of numbers]">my link</a>

另一种说法 - 第 1 部分...

Another words - part 1...

假设我将一堆单独的个人文件存储在一个存储桶中.我想为用户提供一个文件链接.显然，每个文件都是唯一但连续命名的，我不希望人们能够将链接从 40.pdf 更改为 30.pdf 并获得不同的文件.这个网址似乎是这样做的.

say I'm storing a bunch of separate individual's files in a bucket. I want to provide a link to a file for a user. Obviously, each file is uniquely but consecutively named, I don't want people to be able to change the link from 40.pdf to 30.pdf and get a different file. This URL seems to do that.

第 2 部分，更重要的是......

part 2, and more importantly....

就我的存储桶的安全性而言，这是安全的还是危险的显示 URL 的方法?显然，我将在这里泄露我的访问密钥"，但当然，不是我的秘密".

Is this safe or is a it dangerous method of displaying a URL in terms of the security of my bucket? Clearly, i will be giving away my "access key" here, but of course, not my "secret".

3 年前就已经回答了...抱歉.亚马逊 AWS 访问密钥的安全性如何?

Already answered 3 years ago... sorry. How secure are Amazon AWS Access keys?

推荐答案

AWS 安全凭证用于对 AWS 进行 API 调用.它们由两个部分组成:

AWS Security Credentials are used when making API calls to AWS. They consist of two components:

• 访问密钥(例如AKIAISEMTXNOG4ABPC6Q):这类似于用户名.别人看也无妨.
• 密钥:这是一长串随机字符，是您与 AWS 之间的共享密钥.在进行 API 调用时，SDK 使用共享密钥来签署"您的 API 调用.这是一种单向哈希，因此人们无法对您的密钥进行逆向工程.密钥应保密.

• Access Key (eg AKIAISEMTXNOG4ABPC6Q): This is similar to a username. It is okay for people to see it.
• Secret Key: This is a long string of random characters that is a shared secret between you and AWS. When making API calls, the SDK uses the shared secret to 'sign' your API calls. This is a one-way hash, so people cannot reverse-engineer your secret key. The secret key should be kept private.

签名 URL 是一种授予对 S3 对象的限时访问权限的方法.URL 包含访问密钥和签名，签名是根据对象、到期时间和密钥计算的单向哈希.

A Signed URL is a method of granting time-limited access to an S3 object. The URL contains the Access Key and a Signature, which is a one-way hash calculated from the object, expiry time and the Secret Key.

签名 URL 是安全的，因为:

A Signed URL is safe because:

• 它仅在您指定的有限时间段内有效
• 仅对您指定的 Amazon S3 对象有效
• 它不能用于检索不同的对象，也不能修改时间段(因为它会使签名无效)

但是，任何人都可以在有效时间段内使用该 URL.因此，如果有人发推文 URL，许多人可能会在到期时间之前访问该对象.应权衡这种潜在的安全威胁与直接从 Amazon S3 提供流量的好处，而不必运行您自己的网络服务器.

However, anyone can use the URL during the valid time period. So, if somebody Tweets the URL, many people could potentially access the object until the expiry time. This potential security threat should be weighed against the benefit of serving traffic directly from Amazon S3 rather than having to run your own web servers.

这篇关于AWS S3 作为超链接的签名 URL 的安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！