示例:AppStream 2.0 应用程序 Amazon S3 存储桶策略跨服务混淆代理问题防范 - Amazon AppStream 2.0

示例:AppStream 2.0 应用程序 Amazon S3 存储桶策略跨服务混淆代理问题防范

当您将数据存储在 Amazon S3 存储桶时,该存储桶可能会出现混淆代理问题。这可能会使弹性实例集、应用程序块、设置脚本、应用程序图标和会话脚本等数据容易受到恶意行为者的攻击。

为防止出现混淆代理问题,您可以在 Amazon S3 存储桶策略中为 ELASTIC-FLEET-EXAMPLE-BUCKET 指定 aws:SourceAccount 条件或 aws:SourceArn 条件。

下面的资源策略说明了如何通过以下任一方法防止出现混淆代理问题:

  • 具有您的 AWS 账户 ID 的 aws:SourceAccount

  • 全局条件上下文键 aws:SourceArn

AppStream 2.0 目前不支持防范应用程序图标出现混淆代理问题。该服务仅支持 VHD 文件和设置脚本。如果您尝试为应用程序图标添加其他条件,则这些图标将不会显示给最终用户。

在以下示例中,存储桶策略仅允许所有者账户中的 AppStream 2.0 弹性实例集资源访问 ELASTIC_FLEET_EXAMPLE_BUCKET

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "ConfusedDeputyPreventionExamplePolicy",
            "Effect": "Allow",
            "Principal": {
                "Service": "appstream.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/vhd-folder/*",
                "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/scripts/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "your AWS 账户 ID"
                }
            }
        },
        {
            "Sid": "AllowRetrievalPermissionsToS3AppIconsForAppStream",
            "Effect": "Allow",
            "Principal": {
                "Service": "appstream.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/app-icons/*"
        }
    ]
}

您也可以使用 aws:SourceArn 条件来限制特定资源的资源访问权限。

注意

如果您不知道资源的完整 ARN,或者您要指定多个资源,请针对 ARN 未知部分使用带有通配符(*)的 aws:SourceArn 全局条件上下文键。

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "ConfusedDeputyPreventionExamplePolicy",
            "Effect": "Allow",
            "Principal": {
                "Service": "appstream.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/vhd-folder/*",
                "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/scripts/*"
            ],
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:appstream:us-east-1:111122223333:app-block/*"
                }
            }
        },
        {
            "Sid": "AllowRetrievalPermissionsToS3AppIconsForAppStream",
            "Effect": "Allow",
            "Principal": {
                "Service": "appstream.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/app-icons/*"
        }
    ]
}

您可以使用 aws:SourceArnaws:SourceAccount 条件来限制特定资源和账户的资源访问权限。

注意

如果您不知道资源的完整 ARN,或者您要指定多个资源,请针对 ARN 未知部分使用带有通配符(*)的 aws:SourceArn 全局条件上下文键。

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "ConfusedDeputyPreventionExamplePolicy",
            "Effect": "Allow",
            "Principal": {
                "Service": "appstream.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/vhd-folder/*",
                "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/scripts/*"
            ],
            "Condition": {
                "ArnLike": {
                "aws:SourceArn": "arn:aws:appstream:us-east-1:111122223333:app-block/*"
                },
                "StringEquals": {
                    "aws:SourceAccount": "your AWS account ID"
                }
            }
        },
        {
            "Sid": "AllowRetrievalPermissionsToS3AppIconsForAppStream",
            "Effect": "Allow",
            "Principal": {
                "Service": "appstream.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::ELASTIC-FLEET-EXAMPLE-BUCKET/app-icons/*"
        }
    ]
}