Amazon SNS 資料保護政策範例

焦點模式

Amazon SNS 資料保護政策範例 - Amazon Simple Notification Service

稽核的範例政策政策傳入去識別化遮罩陳述式範例政策傳入去識別化修改陳述式範例政策傳出去識別化遮罩陳述式範例政策傳出去識別化修改陳述式範例政策傳入拒絕陳述式範例傳出拒絕陳述式的政策範例

以下範例是您可以用來稽核和拒絕敏感資料的資料保護政策。如需包含範例應用程式的完整教學課程，請參閱 Introducing message data protection for Amazon SNS (Amazon SNS 的訊息資料保護簡介) 部落格文章。

稽核政策可讓您稽核高達 99% 的傳入訊息，並將調查結果傳送至 Amazon CloudWatch、Amazon Data Firehose 和 Amazon S3。

例如，您可以建立稽核政策來評估是否有任何系統意外傳送或接收敏感資料。如果稽核結果顯示系統正在傳送信用卡資訊至不需要此資訊的系統，您可以使用封鎖政策來防止資料的傳遞。

下列範例會尋找信用卡號碼並將問題清單傳送至 CloudWatch Logs、Firehose 和 Amazon S3，藉此稽核 99% 通過主題的訊息。

資料保護政策：


{
  "Name": "__example_data_protection_policy",
  "Description": "Example data protection policy",
  "Version": "2021-06-01",
  "Statement": [
    {
      "DataDirection": "Inbound",
      "Principal": ["*"],
      "DataIdentifier": [
        "arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
      ],
      "Operation": {
        "Audit": {
          "SampleRate": "99",
          "FindingsDestination": {
            "CloudWatchLogs": {
              "LogGroup": "<example log name>"
            },
            "Firehose": {
              "DeliveryStream": "<example stream name>"
            },
            "S3": {
              "Bucket": "<example bucket name>"
            }
          }
        }
      }
    }
  ]
}

稽核結果格式範例：


{
    "messageId": "...",
    "callerPrincipal": "arn:aws:sts::123456789012:assumed-role/ExampleRole",
    "resourceArn": "arn:aws:sns:us-east-1:123456789012:ExampleArn", 
    "dataIdentifiers": [
        {
            "name": "CreditCardNumber",
            "count": 1,
            "detections": [
                { "start": 1, "end": 2 }
            ]
        }
    ],
    "timestamp": "2021-04-20T00:33:40.241Z"
}

下列範例會遮罩訊息內容中的敏感資料，防止使用者將訊息發佈至含有 CreditCardNumber 的主題。


{
  "Name": "__example_data_protection_policy",
  "Description": "Example data protection policy",
  "Version": "2021-06-01",
  "Statement": [
    {
      "DataDirection": "Inbound",
      "Principal": [
        "arn:aws:iam::123456789012:user/ExampleUser"
      ],
      "DataIdentifier": [
        "arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
      ],
      "Operation": {
        "Deidentify": {
          "MaskConfig": {
            "MaskWithCharacter": "#"
          }
        }
      }
    }
  ]
}

傳入去識別化修改結果範例：


// original message
My credit card number is 4539894458086459

// delivered message
My credit card number is ################

下列範例會修訂訊息內容中的敏感資料，防止使用者將訊息發佈至含有 CreditCardNumber 的主題。


{
  "Name": "__example_data_protection_policy",
  "Description": "Example data protection policy",
  "Version": "2021-06-01",
  "Statement": [
    {
      "DataDirection": "Inbound",
      "Principal": [
        "arn:aws:iam::123456789012:user/ExampleUser"
      ],
      "DataIdentifier": [
        "arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
      ],
      "Operation": {
        "Deidentify": {
          "RedactConfig": {}
        }
      }
    }
  ]
}

傳入去識別化修訂結果範例：


// original message
My credit card number is 4539894458086459

// delivered message
My credit card number is

下列範例會遮罩訊息內容中的敏感資料，防止使用者接收含有 CreditCardNumber 的訊息。


{
  "Name": "__example_data_protection_policy",
  "Description": "Example data protection policy",
  "Version": "2021-06-01",
  "Statement": [
    {
      "DataDirection": "Outbound",
      "Principal": [
        "arn:aws:iam::123456789012:user/ExampleUser"
      ],
      "DataIdentifier": [
        "arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
      ],
      "Operation": {
        "Deidentify": {
          "MaskConfig": {
            "MaskWithCharacter": "-"
          }
        }
      }
    }
  ]
}

傳出去識別化遮罩結果範例：


// original message
My credit card number is 4539894458086459

// delivered message
My credit card number is ----------------

下列範例會修改訊息內容中的敏感資料，防止使用者接收含有 CreditCardNumber 的訊息。


{
  "Name": "__example_data_protection_policy",
  "Description": "Example data protection policy",
  "Version": "2021-06-01",
  "Statement": [
    {
      "DataDirection": "Outbound",
      "Principal": [
        "arn:aws:iam::123456789012:user/ExampleUser"
      ],
      "DataIdentifier": [
        "arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
      ],
      "Operation": {
        "Deidentify": {
          "RedactConfig": {}
        }
      }
    }
  ]
}

傳出去識別化修訂結果範例：


// original message
My credit card number is 4539894458086459

// delivered message
My credit card number is

下列範例會防止使用者將訊息內容中有 CreditCardNumber 的訊息發佈至主題。API 回應中遭拒的承載狀態碼為「403 AuthorizationError」。


{
  "Name": "__example_data_protection_policy",
  "Description": "Example data protection policy",
  "Version": "2021-06-01",
  "Statement": [
    {
      "DataDirection": "Inbound",
      "Principal": [
        "arn:aws:iam::123456789012:user/ExampleUser"
      ],
      "DataIdentifier": [
        "arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
      ],
      "Operation": {
        "Deny": {}
      }
    }
  ]
}

下列範例會封鎖 AWS 帳戶接收包含的訊息CreditCardNumber。


{
  "Name": "__example_data_protection_policy",
  "Description": "Example data protection policy",
  "Version": "2021-06-01",
  "Statement": [
    {
      "DataDirection": "Outbound",
      "Principal": [
        "arn:aws:iam::123456789012:user/ExampleUser"
      ],
      "DataIdentifier": [
        "arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
      ],
      "Operation": {
        "Deny": {}
      }
    }
  ]
}

Amazon CloudWatch 中記錄的傳出拒絕結果範例：


{
  "notification": {
    "messageMD5Sum": "2e8f58ff2eeed723b56b15493fbfb5a5",
    "messageId": "8747a956-ebf1-59da-b291-f2c2e4b87c9c",
    "topicArn": "arn:aws:sns:us-east-2:664555388960:test1",
    "timestamp": "2022-09-08 15:40:57.144"
  },
  "delivery": {
    "deliveryId": "6a422437-78cc-5171-ad64-7fa3778507aa",
    "destination": "arn:aws:sqs:us-east-2:664555388960:test",
    "providerResponse": "The topic's data protection policy prohibits this message from being delivered to <subscription arn>",
    "dwellTimeMs": 22,
    "attempts": 1,
    "statusCode": 403
  },
  "status": "FAILURE"
}