亚马逊S3只写访问 [英] Amazon S3 Write Only access
问题描述
我备份几个客户的文件,直接到亚马逊的S3存储 - 每个客户不同的文件夹。我用下,Windows任务一次夜间运行一个简单的.NET客户端。为了让书写桶中,我的客户既需要AWS访问密钥和秘密密钥(我创建了一个新的对)。
我的问题是:
-
我如何确保我的客户没有可能利用对在水桶和一个文件夹,不是他自己的偷看?我可以创建一个只写的访问对?
-
难道我处理这个正确的方式?如果这种通过AWS访问设置之前上传解决,或者我应该客户端的加密文件,客户机(每个客户使用不同的密钥),并避免上述交叉访问?
使用IAM创建为每个客户(不只是一个额外的密钥对)一个单独的用户,然后给到只有他们S3文件夹中每个用户的访问。举例来说,如果桶被称为 everybodysbucket ,和客户A的文件都以用户A / (和客户B的同用户B / ),那么你就可以授予权限 everybodysbucket /用户A / * 来为顾客A的用户,并 everybodysbucket /用户B / * 为消费者B。
将prevent无法看到任何资源不是自己的每一个用户。
使用还可以控制特定的操作S3中,不只是资源,每一个用户都可以访问。所以,是的,你可以,如果你想授予只写权限的用户。
I'm backing up files from several customers directly into an Amazon S3 bucket - each customer to a different folder. I'm using a simple .Net client running under a Windows task once a night. To allow writing to the bucket, my client requires both the AWS access key and the secret key (I created a new pair).
My problem is:
How do I make sure none of my customers could potentially use the pair to peek in the bucket and in a folder not his own? Can I create a "write only" access pair?
Am I approaching this the right way? Should this be solved through AWS access settings, or should I client-side encrypt files on the customer's machine (each customer with a different key) prior to uploading and avoid a the above mentioned cross-access?
Use IAM to create a separate user for each customer (not just an additional key pair), then give each user access to only their S3 folder. For instance, if the bucket is called everybodysbucket, and customer A's files all start with userA/ (and customer B's with userB/), then you can grant permission to everybodysbucket/userA/* to the user for customer A, and to everybodysbucket/userB/* for customer B.
That will prevent each user from seeing any resources not their own.
Use can also control specific S3 operations, not just resources, that each user can access. So yes, you can grant write-only permission to the users if you want.
这篇关于亚马逊S3只写访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
