防止跨服务混淆座席 - Amazon Connect

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

防止跨服务混淆座席

混淆座席问题是一个安全性问题,即不具有操作执行权限的实体可能会迫使具有更高权限的实体执行该操作。在 AWS 中,跨服务模拟可能会导致混淆代理问题。一个服务(调用服务)调用另一项服务(被调用服务)时,可能会发生跨服务模拟。可以操纵调用服务,使用其权限以在其他情况下该服务不应有访问权限的方式对另一个客户的资源进行操作。为防止这种情况,AWS 提供可帮助您保护所有服务的数据的工具,而这些服务中的服务主体有权限访问账户中的资源。

建议在资源策略中使用 aws:SourceArnaws:SourceAccount 全局条件上下文键,以限制 Amazon Connect 为其他服务提供的资源访问权限。如果使用两个全局条件上下文键,在同一策略语句中使用时,aws:SourceAccount 值和 aws:SourceArn 值中的账户必须使用相同的账户 ID。

防止混淆座席问题的有效方法是使用要允许的资源的确切 Amazon 资源名称 (ARN)。如果不知道资源的完整 ARN,或者正在指定多个资源,请针对 ARN 未知部分使用带有通配符 (*) 的 aws:SourceArn 全局上下文条件键。例如,arn:aws:servicename::region-name::your AWS account ID:*

Amazon Connect Customer Profiles 跨服务混淆座席问题防范

以下示例显示了适用于将其他人设置为 Amazon Connect Customer Profiles 管理员的情形的策略。使用这些策略可防范混淆座席问题。

用于创建 Customer Profiles 域的 Amazon Connect Customer Profiles 示例策略

{ "Version": "2012-10-17", "Statement": { "Sid": "ConfusedDeputyPreventionExamplePolicy", "Effect": "Allow", "Principal": { "Service": "profile.amazonaws.com" }, "Action": ["kms:GenerateDataKey", "kms:CreateGrant", "kms:Decrypt"], "Resource": [ "arn:aws:kms:your region-name:your AWS account ID:key/your key ARN" ], "Condition": { "ArnEquals": { "aws:SourceArn": "arn:aws:profile:your region name:your AWS account ID:domains/your Customer Profiles domain name" }, "StringEquals": { "aws:SourceAccount": "your AWS account ID" } } } }

用于创建 Customer Profiles 对象类型的 Amazon Connect Customer Profiles 示例策略

{ "Version": "2012-10-17", "Statement": { "Sid": "ConfusedDeputyPreventionExamplePolicy", "Effect": "Allow", "Principal": { "Service": "profile.amazonaws.com" }, "Action": ["kms:GenerateDataKey", "kms:CreateGrant", "kms:Decrypt"], "Resource": [ "arn:aws:kms:your Region:your AWS account ID:key/your key ARN" ], "Condition": { " ArnEquals": { "aws:SourceArn": "arn:aws:profile:your region name:your AWS account ID:domains/your Customer Profiles domain name/objects/your object type" }, "StringEquals": { "aws:SourceAccount": "your AWS account ID" } } } }

用于创建和更新死信队列的 Amazon Connect Customer Profiles 示例策略

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow Amazon Connect Customer Profiles to publish messages to your queue", "Effect": "Allow", "Principal": { "Service": "profile.amazonaws.com" }, "Action": "sqs:SendMessage", "Resource": "your dead-letter queue ARN", "Condition": { "StringEquals": { "aws:SourceAccount": "your AWS account ID", "aws:SourceArn": "arn:aws:profile:your region name:your AWS account ID:domains/your Customer Profiles domain name" } } } ] }

用于在身份解析过程中保护所使用的 Amazon S3 存储桶的 Amazon Connect Customer Profiles 示例策略

{ "Sid": "Allow Amazon Connect Customer Profiles to put S3 objects to your bucket", "Effect": "Allow", "Principal": { "Service": "profile.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::your S3 bucket name/*", "Condition": { "StringEquals": { "aws:SourceAccount": "your AWS account ID" }, "ArnEquals": { "aws:SourceArn": "arn:aws:profile:your region name:your AWS account ID:domains/*" } } }

Amazon Connect Voice ID 跨服务混淆座席问题防范

以下 Voice ID 示例显示了要应用的资源策略,以防范混淆座席问题。

{ "Version": "2012-10-17", "Statement": { "Sid": "ConfusedDeputyPreventionExamplePolicy", "Effect": "Allow", "Principal": { "Service": "voiceid.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "ArnEquals": { "aws:SourceArn": "arn:aws:voiceid:your region name:your AWS account ID:domain/your Voice ID domain name" }, "StringEquals": { "aws:SourceAccount": "your AWS account ID" } } } }

Amazon Connect 聊天消息流跨服务混淆座席问题防范

以下 Amazon Connect 示例显示了要应用的资源策略,以防范混淆座席问题。

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":"connect.amazonaws.com" }, "Action":"sns:Publish", "Resource":"your SNS topic ARN", "Condition":{ "StringEquals":{ "aws:SourceAccount":"your AWS account ID" }, "ArnEquals":{ "aws:SourceArn":"your Amazon Connect instance ARN" } } } ] }