What is the "aws_security_token" used for

时间:2016-04-04 17:26:52

标签: amazon-web-services amazon-s3 pre-signed-url

I want to use pre-signed URLs with AWS S3. What I noticed is that pre-signed URL include the aws_access_key_id and the aws_security_token.

From my understanding the aws_security_token is part of the URL because I'm using temporary security credentials and it is necessary for signing the URL properly.

But is it fine to give the URL to let's say a frontend client to download an image? The aws_security_token is part of the URL (not encrypted). I'm concerned about security and I was not able to figure out what the purpose of the token is. And what an attacker can do with my aws_access_key_id and the aws_security_token.

2 个答案:

答案 0 :(得分:1)

是的,aws_access_key_id和aws_security_token(如果存在)被认为是安全的。

为了能够造成任何伤害,攻击者理论上需要根据请求参数和签名对第三个组件(aws访问密钥秘密)进行逆向工程,以便它们可以为备用请求生成有效的备用签名。

如果可能,攻击者可以执行临时凭证有权执行的任何操作 - 但是 - 这将涉及对多轮HMAC-SHA-256进行逆向工程,并且在计算上被认为是不可行的。

此外,当使用临时凭证(您将看到aws_security_token)时,凭证无论如何都只有很短的时间 - 所以即使逆向工程是切实可行的,也必须在不切实际的短时间。

安全令牌本身 - 可能是 - 是一个签名和加密的消息,描述了临时访问密钥id和秘密所附带的权限,有助于在AWS内基于令牌分散授权决策。无论其实际内容(似乎没有记录),如果没有附带的临时访问密钥id和秘密,它就不是独立有用的 - 并且秘密没有在签名的URL中公开,并且不可能是可逆的 - 如上所述,设计工程。相反,临时访问密钥id和秘密在没有令牌的情况下是无用的。

答案 1 :(得分:0)

In 2014 Amazon switchedAWS_SECURITY_TOKENAWS_SESSION_TOKEN,您也应该偏爱后者。许多项目仍然设置或同时检查两个项目,但是已经过去了5年。我认为我们可以放手。

aws sts assume-role命令仅返回SessionToken,因此,我仅在编写的代码中支持它。

以下是使用aws cli的示例:

function mfa_serial(){
    aws configure get --profile=$1 mfa_serial
}

function role_arn(){
    aws configure get --profile=$1 role_arn
}

function assrole(){
    aws sts assume-role                         \
        --role-arn          "$(role_arn   $1)"  \
        --serial-number     "$(mfa_serial $1)"  \
        --token-code        "$(mfa)"            \
        --role-session-name "$( ( id -un; date +-%Y-%m-%d+%H.%M.%S ) | tr -d '\n' )"
}

assrole development

以下是输出:

{
    "AssumedRoleUser": {
        "AssumedRoleId": "AROAIWL33TL33TL33TL33:brunobronosky",
        "Arn": "arn:aws:sts::485548554855:assumed-role/allow-full-access-from-other-accounts/brunobronosky"
    },
    "Credentials": {
        "SecretAccessKey": "L33TL33TL33TL33TL33TL33TL33TL33TL33TL33T",
        "SessionToken": "L33TL33TL33TEI///////////L33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33Tm9/TL33TL33TL33TL33T/TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33Tz9/TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TS/TL33TL33TL33TL33TL33TL33TL33TL33TL33T/TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33TL33Tos/TL33TL33TL33TL33TL33TL33TL33T/A==",
        "Expiration": "2019-11-01T00:00:00Z",
        "AccessKeyId": "ASIAL33TL33TL33TL33T"
    }
}