AWS S3签名URL作为超链接的安全性 [英] AWS S3 The security of a signed URL as a hyperlink

问题描述

这样安全吗？使用带有AWS S3 Bucket对象的预签名URL维护安全性？

Is this safe? Maintaining security using a pre-signed url with AWS S3 Bucket object?

<a href="https://mywebsite.s3.amazonaws.com/40.pdf?AWSAccessKeyId=[my access key]&Expires=1433297453&Signature=[this random set of numbers]">my link</a>

另一个词 - 第1部分......

Another words - part 1...

说我在一个桶里存放了一堆独立的个人文件。我想为用户提供文件的链接。显然，每个文件都是唯一但连续命名的，我不希望人们能够将链接从40.pdf更改为30.pdf并获取不同的文件。这个URL似乎就是这样。

say I'm storing a bunch of separate individual's files in a bucket. I want to provide a link to a file for a user. Obviously, each file is uniquely but consecutively named, I don't want people to be able to change the link from 40.pdf to 30.pdf and get a different file. This URL seems to do that.

第2部分，更重要的是....

part 2, and more importantly....

这是安全吗或者是根据我的存储桶的安全性显示URL的危险方法？很明显，我会在这里放弃我的访问密钥，但当然不是我的秘密。

Is this safe or is a it dangerous method of displaying a URL in terms of the security of my bucket? Clearly, i will be giving away my "access key" here, but of course, not my "secret".

3年前已经回答了...抱歉。
Amazon AWS Access密钥的安全性如何？

Already answered 3 years ago... sorry. How secure are Amazon AWS Access keys?

推荐答案

在对AWS进行API调用时使用AWS Security Credentials。它们由两部分组成：

AWS Security Credentials are used when making API calls to AWS. They consist of two components:

• 访问密钥（例如 AKIAISEMTXNOG4ABPC6Q ）：这类似于用户名。人们可以看到它。


• 密钥：这是一长串随机字符，是共享密钥你和AWS之间。在进行API调用时，SDK会使用共享密钥签署您的API调用。这是一种单向哈希，因此人们无法对您的密钥进行反向工程。秘密密钥应保密。

• Access Key (eg AKIAISEMTXNOG4ABPC6Q): This is similar to a username. It is okay for people to see it.
• Secret Key: This is a long string of random characters that is a shared secret between you and AWS. When making API calls, the SDK uses the shared secret to 'sign' your API calls. This is a one-way hash, so people cannot reverse-engineer your secret key. The secret key should be kept private.

签名网址是一种授予时间限制访问权限的方法到S3对象。 URL包含访问密钥和签名，签名是根据对象，到期时间和密钥计算的单向哈希。

A Signed URL is a method of granting time-limited access to an S3 object. The URL contains the Access Key and a Signature, which is a one-way hash calculated from the object, expiry time and the Secret Key.

签名URL是安全的，因为：

A Signed URL is safe because:

• 仅在指定的有限时间段内有效


• 仅有效对于您指定的Amazon S3对象


• 它不能用于检索其他对象，也不能修改时间段（因为它会使签名无效）

但是，任何人可以在有效时间段内使用该URL。因此，如果某人发布了URL，许多人可能会在到期时间之前访问该对象。应该权衡这种潜在的安全威胁，直接从Amazon S3提供流量，而不必运行自己的Web服务器。

However, anyone can use the URL during the valid time period. So, if somebody Tweets the URL, many people could potentially access the object until the expiry time. This potential security threat should be weighed against the benefit of serving traffic directly from Amazon S3 rather than having to run your own web servers.

这篇关于AWS S3签名URL作为超链接的安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！