我希望有人能够确认我当前的存储桶策略是否按预期配置为强制执行 TLS 1.2 及更高版本。据我所知,它配置正确,但我不断收到来自 Amazon 的电子邮件警告,自 2023 年 12 月 31 日起,TLS 1.0 / TLS 1.1 将关闭,与我的 S3 存储桶的连接将失败。
以下是我当前的政策 JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AddPerm",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::[INSTANCE_NAME]-s3-live/*",
"Condition": {
"NumericLessThanEquals": {
"s3:TlsVersion": "1.2"
}
}
}
]
}
我使用了一些在线工具,这些工具确实确认我的存储桶确实支持 TLS 1.2+,但来自 Amazon 的这些电子邮件仍然存在。
下面是详细说明失败的电子邮件片段。
Please see the following for S3 buckets in which object-level calls were made over TLS 1.0 or TLS 1.1 connections between July 17, 2023 and July 25,
2023 (the UserAgent may be truncated due to a limit in the number of characters that can be displayed):
Connections details will be in the following format:
Region | Bucket name(s) | APIAction | TLSVersion | NumCalls | UserAgent
eu-west-1 | [INSTANCE_NAME]-s3-live | REST.GET.OBJECT | TLSv1 | 5 |
如有任何帮助,我们将不胜感激。谢谢。
您的政策
Allow
提出了请求(条件不正确),但它没有提出Deny
请求。
请参阅 https://repost.aws/knowledge-center/s3-enforce-modern-tls 了解正确的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AddPem",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": ["arn:aws:s3:::[INSTANCE_NAME]-s3-live", "arn:aws:s3:::[INSTANCE_NAME]-s3-live/*"]
"Condition": {
"NumericLessThanEquals": {
"s3:TlsVersion": 1.2
}
}
}
]
}
主要区别是
Deny
和 NumericLessThanEquals
。