Overview
When using COS, you may need to use a temporary key to grant users permissions to certain resources or operations, configure user policies for your sub-users or collaborators that allow them to help you operate on the resources in COS, or create bucket policies that allow the specified users to perform certain operations on or access certain resources in your bucket. When configuring these permissions, please comply with the principle of least privilege in order to ensure the security of your data assets.
The principle of least privilege means that when granting permission, you must specify the scope of the permission granted to the specified user for performing what operation and access what resource under what conditions.
Limits
We recommend you strictly follow the principle of least privilege to ensure that a user can only perform the specified operations (such as action:GetObject
) or access the specified resources (such as resource:examplebucket-1250000000/exampleobject.txt
).
To prevent data security risks caused by unexpected and unauthorized operations due to excessive permissions, we strongly recommend you not authorize a user to access all resources (such as resource:*
) or perform all operations (such as action:*
).
Below are some potential data security risks:
Data leakage: If you want to authorize a user to download the specified resources such as examplebucket-1250000000/data/config.json
and examplebucket-1250000000/video/
but include examplebucket-1250000000/*
in the permission policy, then all objects in the bucket can be downloaded without your authorization, leading to unexpected data leakage.
Data overwriting: If you want to authorize a user to upload examplebucket-1250000000/data/config.json
and examplebucket-1250000000/video/
but include examplebucket-1250000000/*
in the permission policy, then all objects in the bucket can be uploaded without your authorization, which may overwrite unintended objects. To avoid this risk, in addition to following the principle of least privilege, you can retain all versions of data for traceability as instructed in Overview. Permission leakage: If you want to authorize a user to list the objects in the bucket (cos:GetBucket
) but configured cos:*
in the permission policy, then all operations on the bucket will be allowed, including reauthorizing the bucket, deleting objects, and deleting the bucket, which puts your data at extremely high risk.
Usage Guide
Under the principle of least privilege, you should specify the following information in the policy:
principal: you should specify to which sub-account (user ID required), collaborator (user ID required), anonymous user, or user group to grant permission. This is not needed if you use a temporary key for access.
statement: enter the corresponding parameters.
effect: you must specify whether the policy is to "allow" or "deny".
action: you must specify the action to allow or deny. It can be one API operation or a set of API operations.
resource: You must specify the resource for which permission is granted. A resource is described in a six-segment format. You can set the resource as a specific file, e.g., exampleobject.jpg
or a directory, e.g., examplePrefix/*
. Unless needed, do not grant any user the access to all of your resources using the *
wildcard.
condition: it describes the condition for the policy to take effect. A condition consists of operator, action key, and action value. A condition value may contain information such as time and IP address.
Least privilege guide for temporary keys
Authorization example
Granting a user permission to access the specified object using the SDK for Java
If you want to use the Java SDK to grant a user permission to download the exampleObject.txt
object in the examplebucket-1250000000
bucket, the configuration code should be as follows:
import java.util.*;
import org.json.JSONObject;
import com.tencent.cloud.CosStsClient;
public class Demo {
public static void main(String[] args) {
TreeMap<String, Object> config = new TreeMap<String, Object>();
try {
String secretId = System.getenv("secretId");
String secretKey = System.getenv("secretKey");
config.put("SecretId", secretId);
config.put("SecretKey", secretKey);
config.put("durationSeconds", 1800);
config.put("bucket", "examplebucket-1250000000");
config.put("region", "ap-guangzhou");
config.put("allowPrefix", "exampleObject.txt");
String[] allowActions = new String[] {
"name/cos:GetObject"
};
config.put("allowActions", allowActions);
JSONObject credential = CosStsClient.getCredential(config);
System.out.println(credential);
} catch (Exception e){
throw new IllegalArgumentException("no valid secret !");
}
}
}
Granting a user permission to access the specified object using API
If you want to use an API to grant a user permission to download the exampleObject.txt
object in the examplebucket-1250000000
bucket and all objects in the examplePrefix
directory, the access policy should be as follows:
{
"version": "2.0",
"statement": [
{
"action":[
"name/cos:GetObject"
],
"effect": "allow",
"resource": [
"qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/exampleObject.txt",
"qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/examplePrefix/*"
]
}
]
}
Least privilege guide for signatures
You can perform temporary uploads and downloads using pre-signed URLs. Moreover, if you send a valid pre-signed URL to others, he (or she) can upload or download the objects.
Note:
Both temporary and permanent keys can be used to generate pre-signed URLs. However, you are advised to follow the least privilege principle when generating a temporary key and use the temporary key to calculate the signature. Try to avoid using a permanent key that has excessive permissions for the sake of security. Authorization example
Granting a user permission to use a pre-signed URL to download an object
Use a temporary key to generate a signed download URL and set it to overwrite some public headers to be returned (such as content-type
and content-language
). The Java code sample is as follows:
String tmpSecretId = "SECRETID";
String tmpSecretKey = "SECRETKEY";
String sessionToken = "TOKEN";
COSCredentials cred = new BasicSessionCredentials(tmpSecretId, tmpSecretKey, sessionToken);
Region region = new Region("COS_REGION");
ClientConfig clientConfig = new ClientConfig(region);
COSClient cosClient = new COSClient(cred, clientConfig);
String bucketName = "examplebucket-1250000000";
String key = "exampleobject";
GeneratePresignedUrlRequest req =
new GeneratePresignedUrlRequest(bucketName, key, HttpMethodName.GET);
ResponseHeaderOverrides responseHeaders = new ResponseHeaderOverrides();
String responseContentType = "image/x-icon";
String responseContentLanguage = "zh-CN";
String responseContentDispositon = "filename=\\"exampleobject\\"";
String responseCacheControl = "no-cache";
String cacheExpireStr =
DateUtils.formatRFC822Date(new Date(System.currentTimeMillis() + 24L * 3600L * 1000L));
responseHeaders.setContentType(responseContentType);
responseHeaders.setContentLanguage(responseContentLanguage);
responseHeaders.setContentDisposition(responseContentDispositon);
responseHeaders.setCacheControl(responseCacheControl);
responseHeaders.setExpires(cacheExpireStr);
req.setResponseHeaders(responseHeaders);
Date expirationDate = new Date(System.currentTimeMillis() + 30L * 60L * 1000L);
req.setExpiration(expirationDate);
URL url = cosClient.generatePresignedUrl(req);
System.out.println(url.toString());
cosClient.shutdown();
Least privilege guide for user policy
Authorization example
Granting an account permission to access the specified object
If you want to grant an account whose UIN is 100000000001
permission to download the exampleObject.txt
object in the examplebucket-1250000000
bucket, the access policy should be as follows:
{
"version": "2.0",
"principal":{
"qcs":[
"qcs::cam::uin/100000000001:uin/100000000001"
]
},
"statement": [
{
"action":[
"name/cos:GetObject"
],
"effect": "allow",
"resource": [
"qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000.ap-guangzhou.myqcloud.com/exampleObject.txt"
]
}
]
}
Granting a sub-account permission to access the specified directory
If you want to grant a sub-account whose UIN is 100000000011
(root account UIN: 100000000001
) permission to download the objects in the examplePrefix
directory in the examplebucket-1250000000
bucket, the access policy should be as follows:
{
"version": "2.0",
"principal":{
"qcs":[
"qcs::cam::uin/100000000001:uin/100000000011"
]
},
"statement": [
{
"action":[
"name/cos:GetObject"
],
"effect": "allow",
"resource": [
"qcs::cos:ap-guangzhou:uid/1250000000:examplebucket-1250000000.ap-guangzhou.myqcloud.com/examplePrefix/*"
]
}
]
}
Least privilege guide for bucket policy
A bucket policy is an access policy configured for a bucket to allow the specified user to perform certain operations on the bucket and resources in it. For more information, please see Adding Bucket Policies. Authorization example
Granting a sub-account permission to access the specified objects
If you want to grant a sub-account whose UIN is 100000000011
(root account UIN: 100000000001
) permission to download the exampleObject.txt
object in the examplebucket-1250000000
bucket and all objects in the examplePrefix
directory, the access policy should be as follows:
{
"Statement":[
{
"Action":[
"name/cos:GetObject"
],
"Effect": "allow",
"Principal":{
"qcs":[
"qcs::cam::uin/100000000001:uin/100000000011"
]
},
"Resource":[
"qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/exampleObject.txt",
"qcs::cos:ap-beijing:uid/1250000000:examplebucket-1250000000/examplePrefix/*"
]
}
],
"version": "2.0"
}
Apakah halaman ini membantu?