本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# Amazon SNS 資料保護政策範例
**重要**
Amazon SNS 訊息資料保護不再提供給新客戶。如需替代方案的詳細資訊和指引,請參閱 [Amazon SNS 訊息資料保護可用性變更](https://docs.aws.amazon.com/sns/latest/dg/sns-message-data-protection-availability-change.html)。
以下範例是您可以用來稽核和拒絕敏感資料的資料保護政策。如需包含範例應用程式的完整教學課程,請參閱 [Introducing message data protection for Amazon SNS](https://aws.amazon.com/blogs/compute/introducing-message-data-protection-for-amazon-sns/) (Amazon SNS 的訊息資料保護簡介) 部落格文章。
## 稽核的範例政策
稽核政策可讓您稽核高達 99% 的傳入訊息,並將調查結果傳送至 [Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html)[https://docs.aws.amazon.com/firehose/latest/dev/what-is-this-service.html](https://docs.aws.amazon.com/firehose/latest/dev/what-is-this-service.html)、 和 [Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html)。
例如,您可以建立稽核政策來評估是否有任何系統意外傳送或接收敏感資料。如果稽核結果顯示系統正在傳送信用卡資訊至不需要此資訊的系統,您可以使用封鎖政策來防止資料的傳遞。
以下範例透過尋找信用卡號碼並將調查結果傳送至 CloudWatch Logs、Firehose 和 Amazon S3 來稽核 99% 通過主題的訊息。
**資料保護政策**:
```
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Inbound",
"Principal": ["*"],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Audit": {
"SampleRate": "99",
"FindingsDestination": {
"CloudWatchLogs": {
"LogGroup": ""
},
"Firehose": {
"DeliveryStream": ""
},
"S3": {
"Bucket": ""
}
}
}
}
}
]
}
```
**稽核結果格式範例**:
```
{
"messageId": "...",
"callerPrincipal": "arn:aws:sts::123456789012:assumed-role/ExampleRole",
"resourceArn": "arn:aws:sns:us-east-1:123456789012:ExampleArn",
"dataIdentifiers": [
{
"name": "CreditCardNumber",
"count": 1,
"detections": [
{ "start": 1, "end": 2 }
]
}
],
"timestamp": "2021-04-20T00:33:40.241Z"
}
```
## 政策傳入去識別化遮罩陳述式範例
下列範例會遮罩訊息內容中的敏感資料,防止使用者將訊息發佈至含有 `CreditCardNumber` 的主題。
```
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Inbound",
"Principal": [
"arn:aws:iam::123456789012:user/ExampleUser"
],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Deidentify": {
"MaskConfig": {
"MaskWithCharacter": "#"
}
}
}
}
]
}
```
**傳入去識別化修改結果範例:**
```
// original message
My credit card number is 4539894458086459
// delivered message
My credit card number is ################
```
## 政策傳入去識別化修改陳述式範例
下列範例會修訂訊息內容中的敏感資料,防止使用者將訊息發佈至含有 `CreditCardNumber` 的主題。
```
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Inbound",
"Principal": [
"arn:aws:iam::123456789012:user/ExampleUser"
],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Deidentify": {
"RedactConfig": {}
}
}
}
]
}
```
**傳入去識別化修訂結果範例:**
```
// original message
My credit card number is 4539894458086459
// delivered message
My credit card number is
```
## 政策傳出去識別化遮罩陳述式範例
下列範例會遮罩訊息內容中的敏感資料,防止使用者接收含有 `CreditCardNumber` 的訊息。
```
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Outbound",
"Principal": [
"arn:aws:iam::123456789012:user/ExampleUser"
],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Deidentify": {
"MaskConfig": {
"MaskWithCharacter": "-"
}
}
}
}
]
}
```
**傳出去識別化遮罩結果範例:**
```
// original message
My credit card number is 4539894458086459
// delivered message
My credit card number is ----------------
```
## 政策傳出去識別化修改陳述式範例
下列範例會修改訊息內容中的敏感資料,防止使用者接收含有 `CreditCardNumber` 的訊息。
```
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Outbound",
"Principal": [
"arn:aws:iam::123456789012:user/ExampleUser"
],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Deidentify": {
"RedactConfig": {}
}
}
}
]
}
```
**傳出去識別化修訂結果範例:**
```
// original message
My credit card number is 4539894458086459
// delivered message
My credit card number is
```
## 政策傳入拒絕陳述式範例
下列範例會防止使用者將訊息內容中有 `CreditCardNumber` 的訊息發佈至主題。API 回應中遭拒的承載狀態碼為「403 AuthorizationError」。
```
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Inbound",
"Principal": [
"arn:aws:iam::123456789012:user/ExampleUser"
],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Deny": {}
}
}
]
}
```
## 傳出拒絕陳述式的政策範例
下列範例會封鎖 AWS 帳戶接收包含 的訊息`CreditCardNumber`。
```
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Outbound",
"Principal": [
"arn:aws:iam::123456789012:user/ExampleUser"
],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Deny": {}
}
}
]
}
```
**Amazon CloudWatch 中記錄的傳出拒絕結果範例:**
```
{
"notification": {
"messageMD5Sum": "2e8f58ff2eeed723b56b15493fbfb5a5",
"messageId": "8747a956-ebf1-59da-b291-f2c2e4b87c9c",
"topicArn": "arn:aws:sns:us-east-2:664555388960:test1",
"timestamp": "2022-09-08 15:40:57.144"
},
"delivery": {
"deliveryId": "6a422437-78cc-5171-ad64-7fa3778507aa",
"destination": "arn:aws:sqs:us-east-2:664555388960:test",
"providerResponse": "The topic's data protection policy prohibits this message from being delivered to ",
"dwellTimeMs": 22,
"attempts": 1,
"statusCode": 403
},
"status": "FAILURE"
}
```