如何最好地为上传到aws的文件设置加密?

时间:2016-10-19 19:34:48

标签: amazon-web-services firebase

我正在进行firebase备份,并试图找出保持数据安全和加密的最佳方法。

firebase告诉我提供公共PGP密钥,但AWS还有一个密钥管理系统(KMS)来创建密钥。我创建了一个密钥但不确定从哪里获取它的公钥版本给firebase?

不确定我是否正确这样做,但如果您对如何最好地保护存储桶及其拥有的数据有任何建议,请告诉我。

1 个答案:

答案 0 :(得分:1)

您可以使用AES256设置“基本”SSE(服务器端加密),这是默认设置。有了这个,以及拒绝任何没有SSE标题的上传的存储桶策略,你应该没问题。

这是一个相当不错的加密级别,因为每个对象都使用唯一密钥加密,并且作为额外的安全措施,它使用由AWS本身定期轮换的主密钥加密所述密钥。

要进行此设置,基本上您应用以下存储桶策略:

namespace Droid.Fragments.Users.Player
{
    public class UnseatedPlayers : DialogFragment
    {
        public event EventHandler<bool> OnDimissEvent;

        private RecyclerView mPlayers;
        private RecyclerView mRecyclerView;
        private RecyclerView.LayoutManager mLayoutManager;
        private UnseatedPlayersRecyclerAdapter mAdapter;
        private int seatId;

        public UnseatedPlayers(int seatId)
        {
            this.seatId = seatId;
        }

        public override void OnCreate(Bundle savedInstanceState)
        {
            base.OnCreate(savedInstanceState);
        }

        public override View OnCreateView(LayoutInflater inflater, ViewGroup container, Bundle savedInstanceState)
        {
            // Use this to return your custom view for this Fragment
            // return inflater.Inflate(Resource.Layout.YourFragment, container, false);

            var view = inflater.Inflate(Resource.Layout.unseated_players, container);

            Dialog.Window.SetTitle("Unseated Players");


            mRecyclerView = view.FindViewById<RecyclerView>(Resource.Id.recyclerViewUnseatedPlayers);
            mLayoutManager = new LinearLayoutManager(mRecyclerView.Context);
            mRecyclerView.SetLayoutManager(mLayoutManager);
            mAdapter = new UnseatedPlayersRecyclerAdapter(A.GetUnseatedPlayers());
            mAdapter.ItemClick += mAdapter_ItemClick;
            mRecyclerView.SetAdapter(mAdapter);

            return view;
        }


        public override void OnDismiss(IDialogInterface dialog)
        {
            if (OnDimissEvent != null)
                OnDimissEvent(dialog, true);
        }

        private async void mAdapter_ItemClick(object sender, int position)
        {
            try
            {
                var player = A.GetUnseatedPlayers()[position];
                ProgressDialog progressDialog = ProgressDialog.Show(this.Activity, "", "Seating player ...", true);
                progressDialog.SetProgressStyle(ProgressDialogStyle.Spinner);
                var response = await nw.SeatPlayer(A.TokenString, player.Id, seatId);
                progressDialog.Hide();

                if (response.Error)
                    Toast.MakeText(this.Activity, response.Message, ToastLength.Short).Show();
                else
                {
                    A.GetPlayer(player.Id).PlayerSessions.Add(response.PlayerSession);
                    A.GetSeat(seatId).Update(response.Seat);
                    this.Dismiss();
                }
            }
            catch (Exception)
            {
                Toast.MakeText(this.Activity, "Something went wrong ...", ToastLength.Short).Show();
            }
        }
    }
}

这只接受具有以下请求标头的{ "Version": "2012-10-17", "Id": "PutObjPolicy", "Statement": [ { "Sid": "DenyIncorrectEncryptionHeader", "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::YourBucket/*", "Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption": "AES256" } } }, { "Sid": "DenyUnEncryptedObjectUploads", "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::YourBucket/*", "Condition": { "Null": { "s3:x-amz-server-side-encryption": "true" } } } ] } 个请求:

putObject

您也可以设置自己的KMS(密钥管理系统),但我认为它相当昂贵。

相关问题
最新问题