本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# Amazon SNS 数据保护策略示例
**重要**
Amazon SNS 消息数据保护不再向新客户提供。有关替代方案的更多信息和指导,请参阅 [Amazon SNS 消息数据保护可用性变更](https://docs.aws.amazon.com/sns/latest/dg/sns-message-data-protection-availability-change.html)。
以下数据保护策略示例可用于审计和拒绝敏感数据。有关包含示例应用程序的完整教程,请参阅 [Introducing message data protection for Amazon SNS](https://aws.amazon.com/blogs/compute/introducing-message-data-protection-for-amazon-sns/)(Amazon SNS 消息数据保护简介)博客文章。
## 审计策略示例
审计策略允许您审计多达 99% 的入站邮件,并将调查结果发送到[亚马逊 CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html)[和 Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html)。[https://docs.aws.amazon.com/firehose/latest/dev/what-is-this-service.html](https://docs.aws.amazon.com/firehose/latest/dev/what-is-this-service.html)
例如,您可以创建审计策略,评估任何系统是否无意中发送或接收了敏感数据。如果您的审计结果表明系统将信用卡信息发送到了无需这些信息的系统,则可以实施数据保护策略来阻止传输此类数据。
以下示例通过查找信用卡号并将发现结果发送到 Lo CloudWatch gs、Firehose 和 Amazon S3 来审核通过该主题的 99% 的消息。
**数据保护策略**:
```
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Inbound",
"Principal": ["*"],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Audit": {
"SampleRate": "99",
"FindingsDestination": {
"CloudWatchLogs": {
"LogGroup": ""
},
"Firehose": {
"DeliveryStream": ""
},
"S3": {
"Bucket": ""
}
}
}
}
}
]
}
```
**审计结果格式示例**:
```
{
"messageId": "...",
"callerPrincipal": "arn:aws:sts::123456789012:assumed-role/ExampleRole",
"resourceArn": "arn:aws:sns:us-east-1:123456789012:ExampleArn",
"dataIdentifiers": [
{
"name": "CreditCardNumber",
"count": 1,
"detections": [
{ "start": 1, "end": 2 }
]
}
],
"timestamp": "2021-04-20T00:33:40.241Z"
}
```
## 带有入站去身份识别遮蔽语句的策略示例
以下示例通过遮蔽消息内容中的敏感数据,阻止用户将带有 `CreditCardNumber` 的敏感消息发布到主题。
```
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Inbound",
"Principal": [
"arn:aws:iam::123456789012:user/ExampleUser"
],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Deidentify": {
"MaskConfig": {
"MaskWithCharacter": "#"
}
}
}
}
]
}
```
**入站去身份识别遮蔽结果示例:**
```
// original message
My credit card number is 4539894458086459
// delivered message
My credit card number is ################
```
## 带有入站去身份识别去除语句的策略示例
以下示例通过去除消息内容中的敏感数据,阻止用户将带有 `CreditCardNumber` 的敏感消息发布到主题。
```
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Inbound",
"Principal": [
"arn:aws:iam::123456789012:user/ExampleUser"
],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Deidentify": {
"RedactConfig": {}
}
}
}
]
}
```
**入站去身份识别去除结果示例:**
```
// original message
My credit card number is 4539894458086459
// delivered message
My credit card number is
```
## 带有出站去身份识别遮蔽语句的策略示例
以下示例通过遮蔽消息内容中的敏感数据,阻止用户使用 `CreditCardNumber` 接收消息。
```
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Outbound",
"Principal": [
"arn:aws:iam::123456789012:user/ExampleUser"
],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Deidentify": {
"MaskConfig": {
"MaskWithCharacter": "-"
}
}
}
}
]
}
```
**出站去身份识别遮蔽结果示例:**
```
// original message
My credit card number is 4539894458086459
// delivered message
My credit card number is ----------------
```
## 带有入站去身份识别去除语句的策略示例
以下示例通过去除消息内容中的敏感数据,阻止用户使用 `CreditCardNumber` 接收消息。
```
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Outbound",
"Principal": [
"arn:aws:iam::123456789012:user/ExampleUser"
],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Deidentify": {
"RedactConfig": {}
}
}
}
]
}
```
**出站去身份识别去除结果示例:**
```
// original message
My credit card number is 4539894458086459
// delivered message
My credit card number is
```
## 入站拒绝语句示例策略
以下示例阻止用户将消息内容中带有 `CreditCardNumber` 的消息发布到主题。API 响应中被拒绝的负载的状态代码为“403 AuthorizationError”。
```
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Inbound",
"Principal": [
"arn:aws:iam::123456789012:user/ExampleUser"
],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Deny": {}
}
}
]
}
```
## 出站拒绝语句示例策略
以下示例阻止一个 AWS 账户接收包含以下内容的消息`CreditCardNumber`。
```
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Outbound",
"Principal": [
"arn:aws:iam::123456789012:user/ExampleUser"
],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Deny": {}
}
}
]
}
```
**出站拒绝结果示例,已登录 Amazon CloudWatch:**
```
{
"notification": {
"messageMD5Sum": "2e8f58ff2eeed723b56b15493fbfb5a5",
"messageId": "8747a956-ebf1-59da-b291-f2c2e4b87c9c",
"topicArn": "arn:aws:sns:us-east-2:664555388960:test1",
"timestamp": "2022-09-08 15:40:57.144"
},
"delivery": {
"deliveryId": "6a422437-78cc-5171-ad64-7fa3778507aa",
"destination": "arn:aws:sqs:us-east-2:664555388960:test",
"providerResponse": "The topic's data protection policy prohibits this message from being delivered to ",
"dwellTimeMs": 22,
"attempts": 1,
"statusCode": 403
},
"status": "FAILURE"
}
```