我正在使用预先签名的 URL 实现到 S3 的上传,但我遇到了疑问。
根据 S3:PutObject docs 为了指定 SSE KMS 加密,我需要同时指定:
x-amz-server-side-encryption: aws:kmsx-amz-server-side-encryption-aws-kms-key-id: SSEKMSKeyId特别是后一个记录为:
<块引用>此标头指定 AWS Key Management Service 的 ID
在我当前的用例中,x-amz-server-side-encryption-aws-kms-key-id 必须是的值是一个完整的 ARN,因为我正在处理跨账户存储桶访问。
我一直认为任何内部标识符都是秘密,但这篇文档提出了以下问题:
作为额外(可能)有用的信息,我在调试模式下为此操作运行了等效的 AWSCLI 命令,这是完整输出的片段:
2021-07-01 21:38:05,165 - ThreadPoolExecutor-0_0 - botocore.utils - DEBUG - Checking for DNS compatible bucket for: https://s3.%REGION%.amazonaws.com/%BUCKET_NAME%/sample_file.bin.2
2021-07-01 21:38:05,165 - ThreadPoolExecutor-0_0 - botocore.utils - DEBUG - Not changing URI, bucket is not DNS compatible: %BUCKET_NAME%
2021-07-01 21:38:05,166 - ThreadPoolExecutor-0_0 - botocore.auth - DEBUG - Calculating signature using v4 auth.
2021-07-01 21:38:05,166 - ThreadPoolExecutor-0_0 - botocore.auth - DEBUG - CanonicalRequest:
PUT /%BUCKET_NAME%/sample_file.bin.2
content-md5:XXXXXoXNw5aXreJi4EOxA==
content-type:application/octet-stream
host:s3.%REGION%.amazonaws.com
x-amz-acl:bucket-owner-full-control
x-amz-content-sha256:UNSIGNED-PAYLOAD
x-amz-date:%DATE%T193805Z
x-amz-server-side-encryption:aws:kms
x-amz-server-side-encryption-aws-kms-key-id:arn:aws:kms:%REGION:%ACCOUNT_NUMBER%:key/%KEY_ID%
content-md5;content-type;host;x-amz-acl;x-amz-content-sha256;x-amz-date;x-amz-server-side-encryption;x-amz-server-side-encryption-aws-kms-key-id
UNSIGNED-PAYLOAD
2021-07-01 21:38:05,166 - ThreadPoolExecutor-0_0 - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
%DATE%T193805Z
%DATE%/%REGION%/s3/aws4_request
XXXXXXbdbe72de054b86a2ab9043d29132a37c10498546743fff9b941a325f89
2021-07-01 21:38:05,166 - ThreadPoolExecutor-0_0 - botocore.auth - DEBUG - Signature:
XXXXXXabd40e652756b2dfbc39a0b6c8f2a93fac6f6c8d0140829fb015ccad65
2021-07-01 21:38:05,166 - ThreadPoolExecutor-0_0 - botocore.hooks - DEBUG - Event request-created.s3.PutObject: calling handler <function signal_transferring at 0x7fc79472ebf8>
2021-07-01 21:38:05,166 - ThreadPoolExecutor-0_0 - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=PUT, url=https://s3.%REGION%.amazonaws.com/%BUCKET_NAME%/sample_file.bin.2, headers={'x-amz-acl': b'bucket-owner-full-control', 'x-amz-server-side-encryption': b'aws:kms', 'x-amz-server-side-encryption-aws-kms-key-id': b'arn:aws:kms:%REGION:%ACCOUNT_NUMBER%:key/%KEY_ID%', 'Content-Type': b'application/octet-stream', 'User-Agent': b'aws-cli/1.16.261 Python/3.6.12 Linux/5.3.18-lp152.60-preempt botocore/1.15.38', 'Content-MD5': b'7XXXXXXNw5aXreJi4EOxA==', 'Expect': b'100-continue', 'X-Amz-Date': b'%DATE%T193805Z', 'X-Amz-Content-SHA256': b'UNSIGNED-PAYLOAD', 'Authorization': b'AWS4-HMAC-SHA256 Credential=XXXXXXXXXXXX/%DATE%/%REGION%/s3/aws4_request, SignedHeaders=content-md5;content-type;host;x-amz-acl;x-amz-content-sha256;x-amz-date;x-amz-server-side-encryption;x-amz-server-side-encryption-aws-kms-key-id, Signature=XXXXXXabd40e652756b2dfbc39a0b6c8f2a93fac6f6c8d0140829fb015ccad65', 'Content-Length': '1048576'}>
我可以在标题中看到完整的 KMS ID...
P.S.:我已经编辑了大部分元数据和标识符
答案 0 :(得分:1)
这绝对不是秘密。虽然我不会在街角分发我的 ARN,但它们可以安全地用于标题等。
第三方可能会使用泄露的 ARN 来尝试对您的资源执行操作,但由于它们存在于资源的信任区域之外,默认情况下它们将被拒绝。改变这种情况的唯一方法是部署资源策略,明确授予对资源区域之外的委托人的访问权限。
在这种情况下,您尝试授予 s3:PutObject 的委托人需要知道适当的密钥名称/别名以指定加密,否则您的存储桶中最终会出现您无法解密。