问题描述
我想使用 AWS的服务器端加密(SSE)和 AWS密钥管理服务(KMS)来加密S3中的静态数据.(请参阅详细介绍SSE-KMS的AWS博客帖子.
I would like to use AWS's Server Side Encryption (SSE) with the AWS Key Management Service (KMS) to encrypt data at rest in S3. (See this AWS blog post detailing SSE-KMS.)
但是,我还要求我使用Cloudfront Presigned URL.
However, I also have the requirement that I use Cloudfront Presigned URLs.
如何设置Cloudfront发行版以使用AWS KMS中的密钥解密并使用静态加密的S3对象?
How can I set up a Cloudfront distribution to use a key in AWS KMS to decrypt and use S3 objects encrypted at rest?
(此Boto3问题似乎来自寻求与我相同答案的人,但没有结果.
(This Boto3 issue seems to be from someone looking for the same answers as me, but with no results).
推荐答案
以前这是不可能的,因为CloudFront不支持和,因为(正如我在John的答案评论中提到的那样-处于正确的轨道)无法使用Lambda @ Edge自行解决方案,因为 X-Amz-Cf-Id 请求标头-在CloudFront的背面生成并且可见仅对S3而不是对触发器的调用-会使您试图添加到Lambda @ Edge触发器中的请求中的任何签名都无效,因为必须对所有 X-Amz-* 标头进行签名.
This was previously not possible because CloudFront didn't support it and because (as I mentioned in comments on John's answer -- which was on the right track) there was no way to roll-your-own solution with Lambda@Edge because the X-Amz-Cf-Id request header --generated on the back side of CloudFront and visible only to S3, not to the trigger invocation -- would invalidate any signature you tried to add to the request inside a Lambda@Edge trigger, because signing of all X-Amz-* headers is mandatory.
但是 X-Amz-Cf-Id 标头值现在已在事件结构中公开给Lambda @ Edge触发函数-不与其他请求标头一起使用,而是作为简单的字符串属性-在 event.Records [0] .cf.config.requestId .
But the X-Amz-Cf-Id header value is now exposed to a Lambda@Edge trigger function in the event structure -- not with the other request headers, but as a simple string attribute -- at event.Records[0].cf.config.requestId.
有了这个值,您可以使用执行角色凭据和Lambda @ Edge环境中的内置SDK来生成签名并添加必要的标头(包括 Authorization 标头)带有派生的凭据标识符和新生成的签名).
With that value in hand, you can use the execution role credentials and the built-in SDK in the Lambda@Edge environment to generate a signature and and add the necessary headers (including an Authorization header with the derived credential identifier and freshly-generated signature) to the request.
此设置不使用原始访问标识符(OAI),因为使用Lambda @ Edge触发器的IAM执行角色而不是OAI来说服S3请求已得到授权.
This setup does not use an Origin Access Identifier (OAI) because the Lambda@Edge trigger's IAM Execution Role is used instead of an OAI to persuade S3 that the request is authorized.
Achraf Souk发布了一个AWS官方博客文章,从头到尾解释了该解决方案.
Achraf Souk has published an official AWS blog post explaining the solution from start to finish.
这篇关于Cloudfront如何分配AWS KMS密钥以获取静态加密的S3映像?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!