本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
以下数据保护策略示例可用于审计和拒绝敏感数据。有关包含示例应用程序的完整教程,请参阅 Introducing message data protection for Amazon SNS
审计策略示例
审计策略允许您审计多达 99% 的入站邮件,并将调查结果发送到亚马逊 CloudWatch、Amazon Data Firehose 和亚马逊 S3。
例如,您可以创建审计策略,评估任何系统是否无意中发送或接收了敏感数据。如果您的审计结果表明系统将信用卡信息发送到了无需这些信息的系统,则可以实施数据保护策略来阻止传输此类数据。
以下示例通过查找信用卡号并将发现结果发送到 Lo CloudWatch gs、Firehose 和 Amazon S3 来审核通过该主题的 99% 的消息。
数据保护策略:
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Inbound",
"Principal": ["*"],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Audit": {
"SampleRate": "99",
"FindingsDestination": {
"CloudWatchLogs": {
"LogGroup": "<example log name>"
},
"Firehose": {
"DeliveryStream": "<example stream name>"
},
"S3": {
"Bucket": "<example bucket name>"
}
}
}
}
}
]
}审计结果格式示例:
{
"messageId": "...",
"callerPrincipal": "arn:aws:sts::123456789012:assumed-role/ExampleRole",
"resourceArn": "arn:aws:sns:us-east-1:123456789012:ExampleArn",
"dataIdentifiers": [
{
"name": "CreditCardNumber",
"count": 1,
"detections": [
{ "start": 1, "end": 2 }
]
}
],
"timestamp": "2021-04-20T00:33:40.241Z"
}
带有入站去身份识别遮蔽语句的策略示例
以下示例通过遮蔽消息内容中的敏感数据,阻止用户将带有 CreditCardNumber 的敏感消息发布到主题。
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Inbound",
"Principal": [
"arn:aws:iam::123456789012:user/ExampleUser"
],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Deidentify": {
"MaskConfig": {
"MaskWithCharacter": "#"
}
}
}
}
]
}入站去身份识别遮蔽结果示例:
// original message My credit card number is 4539894458086459 // delivered message My credit card number is ################
带有入站去身份识别去除语句的策略示例
以下示例通过去除消息内容中的敏感数据,阻止用户将带有 CreditCardNumber 的敏感消息发布到主题。
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Inbound",
"Principal": [
"arn:aws:iam::123456789012:user/ExampleUser"
],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Deidentify": {
"RedactConfig": {}
}
}
}
]
}入站去身份识别去除结果示例:
// original message My credit card number is 4539894458086459 // delivered message My credit card number is
带有出站去身份识别遮蔽语句的策略示例
以下示例通过遮蔽消息内容中的敏感数据,阻止用户使用 CreditCardNumber 接收消息。
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Outbound",
"Principal": [
"arn:aws:iam::123456789012:user/ExampleUser"
],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Deidentify": {
"MaskConfig": {
"MaskWithCharacter": "-"
}
}
}
}
]
}出站去身份识别遮蔽结果示例:
// original message My credit card number is 4539894458086459 // delivered message My credit card number is ----------------
带有入站去身份识别去除语句的策略示例
以下示例通过去除消息内容中的敏感数据,阻止用户使用 CreditCardNumber 接收消息。
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Outbound",
"Principal": [
"arn:aws:iam::123456789012:user/ExampleUser"
],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Deidentify": {
"RedactConfig": {}
}
}
}
]
}出站去身份识别去除结果示例:
// original message My credit card number is 4539894458086459 // delivered message My credit card number is
入站拒绝语句示例策略
以下示例阻止用户将消息内容中带有 CreditCardNumber 的消息发布到主题。API 响应中被拒绝的负载的状态码为”403 AuthorizationError".
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Inbound",
"Principal": [
"arn:aws:iam::123456789012:user/ExampleUser"
],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Deny": {}
}
}
]
}
出站拒绝语句示例策略
以下示例阻止一个 AWS 账户接收包含以下内容的消息CreditCardNumber。
{
"Name": "__example_data_protection_policy",
"Description": "Example data protection policy",
"Version": "2021-06-01",
"Statement": [
{
"DataDirection": "Outbound",
"Principal": [
"arn:aws:iam::123456789012:user/ExampleUser"
],
"DataIdentifier": [
"arn:aws:dataprotection::aws:data-identifier/CreditCardNumber"
],
"Operation": {
"Deny": {}
}
}
]
}出站拒绝结果示例,已登录 Amazon CloudWatch:
{
"notification": {
"messageMD5Sum": "2e8f58ff2eeed723b56b15493fbfb5a5",
"messageId": "8747a956-ebf1-59da-b291-f2c2e4b87c9c",
"topicArn": "arn:aws:sns:us-east-2:664555388960:test1",
"timestamp": "2022-09-08 15:40:57.144"
},
"delivery": {
"deliveryId": "6a422437-78cc-5171-ad64-7fa3778507aa",
"destination": "arn:aws:sqs:us-east-2:664555388960:test",
"providerResponse": "The topic's data protection policy prohibits this message from being delivered to <subscription arn>",
"dwellTimeMs": 22,
"attempts": 1,
"statusCode": 403
},
"status": "FAILURE"
}