AWS 账户标识符的影响

发布于 2024-07-06 18:49:13 字数 739 浏览 12 评论 0原文

我正在使用亚马逊的工具来构建网络应用程序。 我对他们很满意,但我有安全问题。

现在,我正在使用多个 EC2 实例、S3、SimpleDB 和 SQS。 为了验证对不同服务的请求,您需要添加 访问标识符(需要登录)。

例如,要将文件从 EC2 实例上传到 S3,您的 EC2 实例需要拥有您的访问密钥 ID秘密访问密钥

这基本上意味着您的用户名和密码需要位于您的实例中。

如果我的一个实例受到损害,我的所有亚马逊资产都将受到损害。 这些密钥可用于上传/替换S3和SimpleDB数据、启动和停止EC2实例等。

如何最大限度地减少单个受感染主机的损害?

我的第一个想法是为每个帐户获取多个标识符,以便我可以跟踪所做的更改并快速撤销“被黑”的帐户。 Amazon 不支持每个账户使用多于一组凭证。

我的第二个想法是创建多个帐户并使用 ACL 来控制访问。 不幸的是,并非所有服务都支持授予其他帐户访问您的数据的权限。 另外,您使用的带宽越多,带宽就越便宜,因此将所有内容都通过一个帐户是理想的选择。

有没有人处理过或至少考虑过这个问题?

I'm using Amazon's tools to build a web app. I'm very happy with them, but I have a security concern.

Right now, I'm using multiple EC2 instances, S3, SimpleDB and SQS. In order to authenticate requests to the different services, you include your Access Identifiers (login required).

For example, to upload a file to S3 from an EC2 instance, your EC2 instance needs to have your Access Key ID and your Secret Access Key.

That basically means your username and password need to be in your instances.

If one of my instances were to be compromised, all of my Amazon assets would be compromised. The keys can be used upload/replace S3 and SimpleDB data, start and stop EC2 instances, etc.

How can I minimize the damage of a single compromised host?

My first thought is to get multiple identifiers per account so I can track changes made and quickly revoke the 'hacked' account. Amazon doesn't support more than one set of credentials per account.

My second thought was to create multiple accounts and use ACL's to control access. Unfortunately, not all the services support granting other accounts access to your data. Plus bandwidth is cheaper the more that you use, so having it all go through one account is ideal.

Has anyone dealt with, or at least thought about this problem?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

半城柳色半声笛 2024-07-13 18:49:13

您可以做的是拥有一个超级锁定的“身份验证服务器”。 密钥仅存在于这一台服务器上,所有其他服务器都需要请求它的许可。 您可以将自己的密钥分配给各个服务器,并通过 IP 地址将其锁定。 这样,如果服务器受到威胁,您只需从“身份验证服务器”撤销其密钥即可。

这是可能的,因为 AWS 身份验证的工作方式。 假设您的网络服务器需要将文件上传到 S3。 首先,它将生成 AWS 请求,并将该请求与您的自定义服务器密钥一起发送到“身份验证服务器”。 身份验证服务器将验证请求,执行加密魔法,并将经过身份验证的字符串返回到网络服务器。 然后,网络服务器可以使用它来实际提交请求以及要上传到 S3 的文件。

What you can do is have a single, super-locked down 'authentication server'. The secret key only exists on this one server, and all the other servers will need to ask it for permission. You can assign your own keys to the various servers, and lock it down by IP address as well. That way if a server gets compromised, you simply revoke its key from the 'authentication server'.

This is possible, because of the way the AWS authentication works. Say your webserver needs to upload a file to S3. First, it will generate the AWS request, and send that request along with your custom server key to the 'authentication server'. The authentication server will authenticate the request, doing the crypto magic stuff, and return the authenticated string back to the webserver. The webserver can then use this to actually submit the request along with the file to upload to S3.

貪欢 2024-07-13 18:49:13

AWS 允许您通过身份和访问管理创建多个用户。 这将允许您实现任一场景。

我建议为每个 EC2 实例定义一个 IAM 用户,这允许您在相应的 EC2 实例受到威胁时撤销对特定用户(或只是他们的访问密钥)的访问权限,并使用细粒度的权限来限制用户可以调用的 API以及他们可以访问哪些资源(例如,仅允许用户上传到特定存储桶)。

AWS allows you to create multiple users with Identity and Access Management. This will allow you to implement either of your scenarios.

I would suggest defining an IAM user per EC2 instance, this allows you to revoke access to a specific user (or just their access keys) if the corresponding EC2 instance is compromised and also use fine-grained permissions to restrict what APIs the user can call and what resources they can access (e.g. only permit the user to upload to a specific bucket).

我的奇迹 2024-07-13 18:49:13

此外,AWS IAM 角色允许您向 EC2 实例分配权限,而不必在实例上放置密钥。
请参阅博客文章 http://aws.typepad.com/aws/2012/06/iam-roles-for-ec2-instances-simplified-secure-access-to-aws-service- apis-from-ec2.html
大多数 SDK 使用角色创建的临时密钥。

Furthermore, AWS IAM roles allow you to assign permissions to an EC2 instance rather than having to place keys on the instance.
See the blog post at http://aws.typepad.com/aws/2012/06/iam-roles-for-ec2-instances-simplified-secure-access-to-aws-service-apis-from-ec2.html
Most of the SDKs utilize the temporary keys created by the roles.

深爱不及久伴 2024-07-13 18:49:13

AWS 提供“整合账单”,可以解决您再次思考的问题。

https:// aws-portal.amazon.com/gp/aws/developer/account/index.html?ie=UTF8&action=consolidated-billing

“合并账单使您能够合并多个 Amazon Web Services (AWS) 账户的付款通过指定一个支付账户,您可以在公司内部查看所有账户产生的 AWS 成本的综合视图,并获取与您的支付账户关联的每个单独 AWS 账户的详细成本报告。您的总体成本,因为所有帐户的累计使用量可以帮助您更快地达到较低价格的数量级别。”

AWS offers "Consolidated Billing" which addresses your concern in the second thought.

https://aws-portal.amazon.com/gp/aws/developer/account/index.html?ie=UTF8&action=consolidated-billing

"Consolidated Billing enables you to consolidate payment for multiple Amazon Web Services (AWS) accounts within your company by designating a single paying account. You can see a combined view of AWS costs incurred by all accounts, as well as obtain a detailed cost report for each of the individual AWS accounts associated with your paying account. Consolidated Billing may also lower your overall costs since the rolled up usage across all of your accounts could help you reach lower-priced volume tiers more quickly."

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文