数据保护策略示例 - Amazon Simple Notification Service
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

数据保护策略示例

以下数据保护策略示例可用于审计和拒绝敏感数据。有关包含示例应用程序的完整教程,请参阅 Introducing message data protection for Amazon SNS(Amazon SNS 消息数据保护简介)博客文章。

审计策略示例

利用审计策略,您可以审计高达 99% 的入站消息,并将发现结果发送至 Amazon CloudWatchAmazon Kinesis Data FirehoseAmazon S3

例如,您可以创建审计策略,评估任何系统是否无意中发送或接收了敏感数据。如果您的审计结果表明系统将信用卡信息发送到了无需这些信息的系统,则可以实施数据保护策略来阻止传输此类数据。

以下示例对流经主题的 99% 的消息进行审计,在其中查找信用卡号并将发现结果发送到 CloudWatch Logs、Kinesis Data Firehose 和 Amazon S3。

数据保护策略

{ "Name": "__example_data_protection_policy", "Description": "Example data protection policy", "Version": "2021-06-01", "Statement": [ { "DataDirection": "Inbound", "Principal": ["*"], "DataIdentifier": [ "arn:aws:dataprotection::aws:data-identifier/CreditCardNumber" ], "Operation": { "Audit": { "SampleRate": "99", "FindingsDestination": { "CloudWatchLogs": { "LogGroup": "<example log name>" }, "Firehose": { "DeliveryStream": "<example stream name>" }, "S3": { "Bucket": "<example bucket name>" } } } } } ] }

审计结果格式示例

{ "messageId": "...", "callerPrincipal": "arn:aws:sts::123456789012:assumed-role/ExampleRole", "resourceArn": "arn:aws:sns:us-east-1:123456789012:ExampleArn", "dataIdentifiers": [ { "name": "CreditCardNumber", "count": 1, "detections": [ { "start": 1, "end": 2 } ] } ], "timestamp": "2021-04-20T00:33:40.241Z" }

策略入站拒绝语句示例

以下示例阻止用户将消息内容中带有 CreditCardNumber 的消息发布到主题。API 响应中被拒绝的负载的状态代码为“403 AuthorizationError”。

{ "Name": "__example_data_protection_policy", "Description": "Example data protection policy", "Version": "2021-06-01", "Statement": [ { "DataDirection": "Inbound", "Principal": [ "arn:aws:iam::123456789012:user/ExampleUser" ], "DataIdentifier": [ "arn:aws:dataprotection::aws:data-identifier/CreditCardNumber" ], "Operation": { "Deny": {} } } ] }

出站拒绝语句策略示例

以下示例阻止 Amazon 账户接收包含 CreditCardNumber 的消息。

{ "Name": "__example_data_protection_policy", "Description": "Example data protection policy", "Version": "2021-06-01", "Statement": [ { "DataDirection": "Outbound", "Principal": [ "arn:aws:iam::123456789012:user/ExampleUser" ], "DataIdentifier": [ "arn:aws:dataprotection::aws:data-identifier/CreditCardNumber" ], "Operation": { "Deny": {} } } ] }

出站拒绝结果示例,记录在 Amazon CloudWatch 中:

{ "notification": { "messageMD5Sum": "2e8f58ff2eeed723b56b15493fbfb5a5", "messageId": "8747a956-ebf1-59da-b291-f2c2e4b87c9c", "topicArn": "arn:aws:sns:us-east-2:664555388960:test1", "timestamp": "2022-09-08 15:40:57.144" }, "delivery": { "deliveryId": "6a422437-78cc-5171-ad64-7fa3778507aa", "destination": "arn:aws:sqs:us-east-2:664555388960:test", "providerResponse": "The topic's data protection policy prohibits this message from being delivered to <subscription arn>", "dwellTimeMs": 22, "attempts": 1, "statusCode": 403 }, "status": "FAILURE" }