本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
跨服务混淆代理问题防范
混淆代理问题是一个安全性问题,即不具有操作执行权限的实体可能会迫使具有更高权限的实体执行该操作。在 AWS 中,跨服务模拟可能会导致混淆代理问题。一个服务(呼叫服务) 调用另一项服务(所谓的服务)时,可能会发生跨服务模拟。可以操纵调用服务,使用其权限以在其他情况下该服务不应有访问权限的方式对另一个客户的资源进行操作。为了防止这种情况,AWS 提供可帮助您保护所有服务的服务委托人数据的工具,这些服务委托人有权限访问账户中的资源。
我们建议使用资源策略中的aws:SourceArn和aws:SourceAccount全局条件上下文键,限制 Amazon Connect 为另一项服务提供的资源访问权限。如果使用两个全局条件上下文键,在同一策略语句中使用时,aws:SourceAccount 值和 aws:SourceArn 值中的账户必须使用相同的账户 ID。
防止混淆代理问题最有效的方法是使用要允许的资源的确切Amazon Resource Name (ARN)。如果不知道资源的完整 ARN,或者正在指定多个资源,请针对 ARN 未知部分使用带有通配符 (*) 的 aws:SourceArn 全局上下文条件键。例如,arn:aws:。servicename::region-name::your AWS account ID:*
Amazon Connect 服务混淆代理
以下示例显示了适用于将其他人设置为 Amazon Connect 客户资料管理员的政策。使用这些政策来防止责任混淆问题。
用于创建客户资料域的 Amazon Connect 客户资料政策示例
{ "Version": "2012-10-17", "Statement": { "Sid": "ConfusedDeputyPreventionExamplePolicy", "Effect": "Allow", "Principal": { "Service": "profile.amazonaws.com" }, "Action": ["kms:GenerateDataKey", "kms:CreateGrant", "kms:Decrypt"], "Resource": [ "arn:aws:kms:your region-name:your AWS account ID:key/your key ARN" ], "Condition": { "ArnEquals": { "aws:SourceArn": "arn:aws:profile:your region name:your AWS account ID:domains/your Customer Profiles domain name" }, "StringEquals": { "aws:SourceAccount": "your AWS account ID" } } } }
用于创建客户档案对象类型的 Amazon Connect 客户资料策略示例
{ "Version": "2012-10-17", "Statement": { "Sid": "ConfusedDeputyPreventionExamplePolicy", "Effect": "Allow", "Principal": { "Service": "profile.amazonaws.com" }, "Action": ["kms:GenerateDataKey", "kms:CreateGrant", "kms:Decrypt"], "Resource": [ "arn:aws:kms:your Region:your AWS account ID:key/your key ARN" ], "Condition": { " ArnEquals": { "aws:SourceArn": "arn:aws:profile:your region name:your AWS account ID:domains/your Customer Profiles domain name/objects/your object type" }, "StringEquals": { "aws:SourceAccount": "your AWS account ID" } } } }
用于创建和更新死信队列的 Amazon Connect 客户资料政策示例
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow Amazon Connect Customer Profiles to publish messages to your queue", "Effect": "Allow", "Principal": { "Service": "profile.amazonaws.com" }, "Action": "sqs:SendMessage", "Resource": "your dead-letter queue ARN", "Condition": { "StringEquals": { "aws:SourceAccount": "your AWS account ID", "aws:SourceArn": "arn:aws:profile:your region name:your AWS account ID:domains/your Customer Profiles domain name" } } } ] }
Amazon Connect 客户档案策略示例,用于保护身份解析过程中使用的 Amazon S3 存储桶
{ "Sid": "Allow Amazon Connect Customer Profiles to put S3 objects to your bucket", "Effect": "Allow", "Principal": { "Service": "profile.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::your S3 bucket name/*", "Condition": { "StringEquals": { "aws:SourceAccount": "your AWS account ID" }, "ArnEquals": { "aws:SourceArn": "arn:aws:profile:your region name:your AWS account ID:domains/*" } } }
Amazon Connect Voice ID 跨服务混淆代理
以下 Voice ID 示例显示了为防止代理人混淆问题而应用的资源策略。
{ "Version": "2012-10-17", "Statement": { "Sid": "ConfusedDeputyPreventionExamplePolicy", "Effect": "Allow", "Principal": { "Service": "voiceid.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "ArnEquals": { "aws:SourceArn": "arn:aws:voiceid:your region name:your AWS account ID:domain/your Voice ID domain name" }, "StringEquals": { "aws:SourceAccount": "your AWS account ID" } } } }
针对 Amazon Connect 防止跨服务混淆代理
以下 Amazon Connect 示例显示了为防止代理人出现混乱问题而适用的资源政策。
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":"connect.amazonaws.com" }, "Action":"sns:Publish", "Resource":"your SNS topic ARN", "Condition":{ "StringEquals":{ "aws:SourceAccount":"your AWS account ID" }, "ArnEquals":{ "aws:SourceArn":"your Amazon Connect instance ARN" } } } ] }
