我正在使用预签名的URL实现到S3的上传,我已经到了怀疑的地步。
根据S3:PutObject文档,为了指定SSE KMS加密,我需要指定两者:
x-amz-server-side-encryption: aws:kmsx-amz-server-side-encryption-aws-kms-key-id: SSEKMSKeyId
特别是后一种记录为:
此标头指定AWS密钥管理服务的ID
在我当前的用例中,x-amz-server-side-encryption-aws-kms-key-id的值必须是一个完整的ARN,因为我正在处理跨帐户存储桶访问。
我一直认为任何内部标识符都是秘密,但这篇文档提出了以下问题:
- 泄露ARN的含义是什么
- AWS ARN的SAFE是否如文件所述包含在标题中
作为额外(可能(有用的信息,我在调试模式下为该操作运行了等效的AWSCLI命令,这是完整输出的一个片段:
2021-07-01 21:38:05,165 - ThreadPoolExecutor-0_0 - botocore.utils - DEBUG - Checking for DNS compatible bucket for: https://s3.%REGION%.amazonaws.com/%BUCKET_NAME%/sample_file.bin.2
2021-07-01 21:38:05,165 - ThreadPoolExecutor-0_0 - botocore.utils - DEBUG - Not changing URI, bucket is not DNS compatible: %BUCKET_NAME%
2021-07-01 21:38:05,166 - ThreadPoolExecutor-0_0 - botocore.auth - DEBUG - Calculating signature using v4 auth.
2021-07-01 21:38:05,166 - ThreadPoolExecutor-0_0 - botocore.auth - DEBUG - CanonicalRequest:
PUT /%BUCKET_NAME%/sample_file.bin.2
content-md5:XXXXXoXNw5aXreJi4EOxA==
content-type:application/octet-stream
host:s3.%REGION%.amazonaws.com
x-amz-acl:bucket-owner-full-control
x-amz-content-sha256:UNSIGNED-PAYLOAD
x-amz-date:%DATE%T193805Z
x-amz-server-side-encryption:aws:kms
x-amz-server-side-encryption-aws-kms-key-id:arn:aws:kms:%REGION:%ACCOUNT_NUMBER%:key/%KEY_ID%
content-md5;content-type;host;x-amz-acl;x-amz-content-sha256;x-amz-date;x-amz-server-side-encryption;x-amz-server-side-encryption-aws-kms-key-id
UNSIGNED-PAYLOAD
2021-07-01 21:38:05,166 - ThreadPoolExecutor-0_0 - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
%DATE%T193805Z
%DATE%/%REGION%/s3/aws4_request
XXXXXXbdbe72de054b86a2ab9043d29132a37c10498546743fff9b941a325f89
2021-07-01 21:38:05,166 - ThreadPoolExecutor-0_0 - botocore.auth - DEBUG - Signature:
XXXXXXabd40e652756b2dfbc39a0b6c8f2a93fac6f6c8d0140829fb015ccad65
2021-07-01 21:38:05,166 - ThreadPoolExecutor-0_0 - botocore.hooks - DEBUG - Event request-created.s3.PutObject: calling handler <function signal_transferring at 0x7fc79472ebf8>
2021-07-01 21:38:05,166 - ThreadPoolExecutor-0_0 - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=False, method=PUT, url=https://s3.%REGION%.amazonaws.com/%BUCKET_NAME%/sample_file.bin.2, headers={'x-amz-acl': b'bucket-owner-full-control', 'x-amz-server-side-encryption': b'aws:kms', 'x-amz-server-side-encryption-aws-kms-key-id': b'arn:aws:kms:%REGION:%ACCOUNT_NUMBER%:key/%KEY_ID%', 'Content-Type': b'application/octet-stream', 'User-Agent': b'aws-cli/1.16.261 Python/3.6.12 Linux/5.3.18-lp152.60-preempt botocore/1.15.38', 'Content-MD5': b'7XXXXXXNw5aXreJi4EOxA==', 'Expect': b'100-continue', 'X-Amz-Date': b'%DATE%T193805Z', 'X-Amz-Content-SHA256': b'UNSIGNED-PAYLOAD', 'Authorization': b'AWS4-HMAC-SHA256 Credential=XXXXXXXXXXXX/%DATE%/%REGION%/s3/aws4_request, SignedHeaders=content-md5;content-type;host;x-amz-acl;x-amz-content-sha256;x-amz-date;x-amz-server-side-encryption;x-amz-server-side-encryption-aws-kms-key-id, Signature=XXXXXXabd40e652756b2dfbc39a0b6c8f2a93fac6f6c8d0140829fb015ccad65', 'Content-Length': '1048576'}>
在那里,我可以在标题中看到完整的KMS ID。。。
附言:我已经编辑了大部分元数据;标识符
这绝对不是秘密。虽然我不会在街角分发ARN,但它们可以安全地用于标题等。
泄露的ARN可能被第三方用来尝试对您的资源执行操作,但由于它们存在于资源的信任区域之外,因此默认情况下会被拒绝。改变这一点的唯一方法是部署明确授予资源区域外主体访问权限的资源策略。
在这种情况下,您试图向其授予s3:PutObject的主体需要知道要指定用于加密的适当密钥名称/别名,否则您的存储桶中将出现无法解密的对象。