如何安全是$在AWS S3 p $ psigned网址？ [英] How secure are presigned URLs in AWS S3?

问题描述

我打算将用户重定向到presigned存储在S3敏感资源的URL。这些检查用户的权限后，得到产生，并具有攻击性的超时（30秒）。然而，我担心的是，是否有可能通过一些恶意软件在我的客户端机器present捕捉到的网址，仍然URL的到期时间内下载该文件。还是我只是太偏执？

I am planning to redirect users to presigned URLs of sensitive resources stored in S3. These get generated after checking the user's rights and have aggressive timeouts (30 secs). My worry however is whether it would be possible by some malware that is present on my client's machine to capture the url and still download the file within the expire time of the URL. Or Am I just being too paranoid?

如果这已经回答过，请点我在那个方向。鸭preciate你的帮助。

If this has been answered before, please point me in that direction. Appreciate your help.

推荐答案

我发现这 - 的http://docs.aws.amazon.com/AmazonS3/latest/dev/AuthUsingTempFederationTokenRuby.html 并给它一个尝试。它似乎工作。意译code从DOC -

I found this - http://docs.aws.amazon.com/AmazonS3/latest/dev/AuthUsingTempFederationTokenRuby.html and gave it a try. It seems to works. Paraphrasing the code from the doc -

# Start a session with restricted permissions.
sts = AWS::STS.new()
policy = AWS::STS::Policy.new
policy.allow(
  :actions => ["s3:ListBucket"],
  :resources => "arn:aws:s3:::#{bucket_name}"
).condition.add(:like, :referer, "domain.com")

session = sts.new_federated_session(
  'User1',
  :policy => policy,
  :duration => 2*60*60)

所以，我们创建策略可以有原始IP地址，客户端下载和/或可能是AWS：引用站点字段设置为我的应用程序的域。我认为这提供了阻塞用于至少一个级别到你的资源。我得到的是，IP地址或引用者很​​容易被欺骗。但它比没有任何保障可言更好。

So the policy that we create can have originating IP address from which the client downloads or/and may be the aws:Referer field set to my app's domain. I think this provides atleast one level of obstruction to your resource. I get that, the IP address or the referer can easily be spoofed. But its better than not having any protection at all.

这篇关于如何安全是$在AWS S3 p $ psigned网址？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！