AWS Cloudtrail – 访问密钥ID随机生成

huangapple go评论59阅读模式
英文:

AWS Cloudtrail - Access Key IDs Randomly Generated

问题

AWS Cloudtrail – 访问密钥ID随机生成

请求在这里输入。我正尝试学习AWS,通过了从业者考试。我尝试过Google,最多只能找到以下信息 -
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html

AWS访问密钥

用于签署请求的AWS访问密钥ID。如果请求是使用临时安全凭证发出的,则这是临时凭证的访问密钥ID。

这些临时(??)密钥是什么?

英文:

AWS Cloudtrail – 访问密钥ID随机生成

Requesting for inputs here. I am trying to learn AWS, passed Practitioner. I tried to Google and the max I could find was -
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html

AWS access key

The AWS access key ID that was used to sign the request. If the request was made with temporary security credentials, this is the access key ID of the temporary credentials.

What are those temporary (??) keys?

答案1

得分: 3

临时安全凭证在IAM中 - AWS身份和访问管理

> 您可以使用AWS安全令牌服务(AWS STS)创建并提供受信任的用户临时安全凭证,以控制对您的AWS资源的访问。临时安全凭证几乎与长期访问密钥凭证相同,但存在以下差异:
>
> - 临时安全凭证是短期的,正如名称所示。它们可以配置为在几分钟到几小时之间的任何时间段内有效。凭证过期后,AWS将不再识别它们或允许使用它们进行的API请求的任何访问。
> - 临时安全凭证不存储在用户处,而是在请求时动态生成并提供给用户。当(甚至在)临时安全凭证过期时,只要请求它们的用户仍然具有权限,用户就可以请求新的凭证。
>
> 因此,临时凭证相对于长期凭证具有以下优势:
> - 您不必将长期AWS安全凭证与应用程序一起分发或嵌入。
> - 您可以为用户提供对AWS资源的访问权限,而无需为其定义AWS身份。临时凭证是角色和身份联合的基础。
> - 临时安全凭证的寿命有限,因此在不再需要时无需旋转它们或明确撤销它们。临时安全凭证过期后,不能再次使用。您可以指定凭证的有效期,最长为一定限制。

AKIA开头的访问密钥是长期凭证,通常与IAM用户关联。

ASIA开头的访问密钥是由AWS STS创建的临时凭证。除了秘密密钥之外,它们还需要会话令牌。当假定IAM角色时,您将在大多数情况下看到它们。

参见:IAM标识符 - AWS身份和访问管理

英文:

From Temporary security credentials in IAM - AWS Identity and Access Management:

>You can use the AWS Security Token Service (AWS STS) to create and provide trusted users with temporary security credentials that can control access to your AWS resources. Temporary security credentials work almost identically to long-term access key credentials, with the following differences:
>
>- Temporary security credentials are short-term, as the name implies. They can be configured to last for anywhere from a few minutes to several hours. After the credentials expire, AWS no longer recognizes them or allows any kind of access from API requests made with them.
>- Temporary security credentials are not stored with the user but are generated dynamically and provided to the user when requested. When (or even before) the temporary security credentials expire, the user can request new credentials, as long as the user requesting them still has permissions to do so.
>
>As a result, temporary credentials have the following advantages over long-term credentials:
>- You do not have to distribute or embed long-term AWS security credentials with an application.
>- You can provide access to your AWS resources to users without having to define an AWS identity for them. Temporary credentials are the basis for roles and identity federation.
>- The temporary security credentials have a limited lifetime, so you do not have to rotate them or explicitly revoke them when they're no longer needed. After temporary security credentials expire, they cannot be reused. You can specify how long the credentials are valid, up to a maximum limit.

Access Keys starting with AKIA are long-term credentials, typically associated with an IAM User.

Access Keys starting with ASIA are temporary credentials created by AWS STS. They also require a session token in addition to the secret key. You will mostly see these when assuming an IAM Role.

See: IAM identifiers - AWS Identity and Access Management

huangapple
  • 本文由 发表于 2023年5月22日 16:13:50
  • 转载请务必保留本文链接:https://go.coder-hub.com/76304209.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定