安全

为了识别和验证,根据 WS-Security 安全标准,“事件通知 Web 服务”的调用必须使用亚马逊 Web 服务 (AWS) X.509 证书登录。由于 X.509 证书与您的账户信息相关,您的公钥将用来识别,而签名用来验证请求的真实性。

此外,所有 Web 服务请求使用安全套接层 (SSL) 加密算法来加密,以确保您的账户数据在传输中不被篡改和捕获。

在使用“事件通知 Web 服务”之前,您需要一个使用亚马逊 Web 服务注册的 X.509 证书和私钥。注意:任何时候您只能有一个与您账户相关联的 X.509 证书。上传或创建一个新证书将取代您拥有的所有较旧的证书。


如果您已经创建了一个 X.509 证书,请参考工具包文档以了解如何将您的公钥导出为 PEM Base64 编码的证书文件。将显示如下:

-----BEGIN CERTIFICATE-----
MIICaDCCAdGgAwIBAgIQodOW0ySYxZFHyt89oWnmMzANBgkqhkiG9w0BAQQFADAz
MRcwFQYDVQQLEw5BMkdONVMxQjRCM0gwVTEYMBYGA1UEAxMPQVdTIENlcnRpZmlj
YXRlMB4XDTA2MTIyODIwMzU0NloXDTIwMDEwMTA4MDAwMFowMzEXMBUGA1UECxMO
QTJHTjVTMUI0QjNIMFUxGDAWBgNVBAMTD0FXUyBDZXJ0aWZpY2F0ZTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEAxGV06sNSKX+D9maToBdg3QIr/AGKINThw2Ni
mmvmURv6hj86PuJjTNXnQOQ4DIOTZES86B5oNmIfcUEDeyPbJ3SYbCTWl5gU9vaJ
bpYecIYWDxZc005ZuOdpvkWYFeafEEf/OAYXMMP8LHh2VZ4EeIAI4lhqvt1HwpqX
Cv90028CAwEAAaN9MHswEwYDVR0lBAwwCgYIKwYBBQUHAwMwZAYDVR0BBF0wW4AQ
Bpa6oFgZlEz9eVJe64FgFaE1MDMxFzAVBgNVBAsTDkEyR041UzFCNEIzSDBVMRgw
FgYDVQQDEw9BV1MgQ2VydGlmaWNhdGWCEKHTltMkmMWRR8rfPaFp5jMwDQYJKoZI
hvcNAQEEBQADgYEAIPStaaYK5Uj4uZRj+3jXqQtYuPwBBkO6YdZzT+Dfbrp706Fa
0xgVUUZ27X6oFvKQw/doUUgF1g1BcbfLQUNFJU2F69G0U/ZrbGPkOyZnaPMFVTT9
cAbAWj6K1fci3O5MwwMJK4qdJXQnF5KCL1IOFhNDCdCLpLEMeV7xbgUDMs4=
-----END CERTIFICATE-----


然后按照以下步骤使用 AWS 注册证书。

  1. 在您的 Web 浏览器中,转至 http://aws.amazon.com

  2. 在网页右侧您会看到一个标题为“我的 Web 服务账户”的按钮。将鼠标悬停在该按钮上会出现一个菜单。单击“查看访问密钥识别码”链接。

  3. 您需要登录到您的账户。使用您的主账户电子邮件地址和密码登录。如果您从未使用过的亚马逊 Web 服务,可能需要创建一个账户。

  4. 接着进入“AWS 访问标识”页面,找到“X.509 证书”部分。单击“上传”按钮。

  5. 在下一页您将收到警告:上传证书将取代已经与您账户相关联的所有较旧证书。如果没问题,请单击“是”继续。

  6. 单击“浏览”按钮打开一个文件选择对话框,在此放置 .pem 导出证书。放置证书后,单击“上传”将之上传到 AWS。


如果您还没有创建 X.509 证书,您可以从 AWS 门户网站下载并注册,步骤如下。

  1. 在您的 Web 浏览器中,转至 http://aws.amazon.com

  2. 在网页右侧您会看到一个标题为“我的 Web 服务账户”的按钮。将鼠标悬停在该按钮上会出现一个菜单。单击“查看访问密钥识别码”链接。

  3. 您需要登录到您的账户。使用您的主账户电子邮件地址和密码登录。如果您从未使用过的亚马逊 Web 服务,可能需要创建一个账户。

  4. 接着进入“AWS 访问标识”页面,找到“X.509 证书”部分。单击“新建”创建一个新的证书。

  5. 在下一页您将收到警告:上传证书将取代已经与您账户相关联的所有较旧证书。如果没问题,请单击“是”继续。

  6. 如果创建成功,您将看到一个带有两个下载按钮的页面,一个标记为“下载私钥文件”,另一个标记为“下载 X.509 证书”。单击“下载私钥文件”下载私钥,然后保存到您的电脑并转移到安全位置。单击“下载 X.509 证书”,然后保存文件到您的电脑。


请注意: 您可以在任何时间下载 X.509 证书(公钥),但是请务必在您仍在此页面时下载好私钥。您离开此页面后,将不能再下载私钥。AWS 不存储私钥,并且不能提供再次生成相同密钥值的任何方式。如果您再次生成新的密钥值,您现有的密钥将无效。

一旦您使用亚马逊 Web 服务注册了 X.509 证书,您可以使用 WS-Security 注册“事件通知 Web 服务”请求。详情请见您所选编程语言的参考资料和 Web 服务工具包文档,或亚马逊服务提供的 SDK。在亚马逊 Web 服务门户网站 http://aws.amazon.com 可以找到更多示例。


亚马逊官网原文详情:  

Security with Event Notification Web Service

For identification and authentication, calls to the Event Notification Web Service (ENS) must be signed using an Amazon Web Services (AWS) X.509 certificate according to the WS-Security standard. Since your X.509 certificate is associated with your account information, your public key is used for identification while the signature is used to verify that the request is authentic. In addition, all Web Service requests are encrypted using Secure Socket Layer (SSL) encryption, ensuring that your account data is secure from tampering and capture while in transit.


Before you can use ENS, you will need an X.509 certificate and private key registered with Amazon Web Services.

Note: You can only have one X.509 certificate associated with your account at any point in time. Uploading or creating a new certificate will replace any older certificate you have.


If you have already created an X.509 certificate, reference your toolkit documentation on how to export your public key as a .PEM Base64 encoded certificate file. It will look like the following:

-----BEGIN CERTIFICATE-----
MIICaDCCAdGgAwIBAgIQodOW0ySYxZFHyt89oWnmMzANBgkqhkiG9w0BAQQFADAz
MRcwFQYDVQQLEw5BMkdONVMxQjRCM0gwVTEYMBYGA1UEAxMPQVdTIENlcnRpZmlj
YXRlMB4XDTA2MTIyODIwMzU0NloXDTIwMDEwMTA4MDAwMFowMzEXMBUGA1UECxMO
QTJHTjVTMUI0QjNIMFUxGDAWBgNVBAMTD0FXUyBDZXJ0aWZpY2F0ZTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEAxGV06sNSKX+D9maToBdg3QIr/AGKINThw2Ni
mmvmURv6hj86PuJjTNXnQOQ4DIOTZES86B5oNmIfcUEDeyPbJ3SYbCTWl5gU9vaJ
bpYecIYWDxZc005ZuOdpvkWYFeafEEf/OAYXMMP8LHh2VZ4EeIAI4lhqvt1HwpqX
Cv90028CAwEAAaN9MHswEwYDVR0lBAwwCgYIKwYBBQUHAwMwZAYDVR0BBF0wW4AQ
Bpa6oFgZlEz9eVJe64FgFaE1MDMxFzAVBgNVBAsTDkEyR041UzFCNEIzSDBVMRgw
FgYDVQQDEw9BV1MgQ2VydGlmaWNhdGWCEKHTltMkmMWRR8rfPaFp5jMwDQYJKoZI
hvcNAQEEBQADgYEAIPStaaYK5Uj4uZRj+3jXqQtYuPwBBkO6YdZzT+Dfbrp706Fa
0xgVUUZ27X6oFvKQw/doUUgF1g1BcbfLQUNFJU2F69G0U/ZrbGPkOyZnaPMFVTT9
cAbAWj6K1fci3O5MwwMJK4qdJXQnF5KCL1IOFhNDCdCLpLEMeV7xbgUDMs4=
-----END CERTIFICATE-----

Follow the steps below to register your certificate with AWS.

  1. Go to http://aws.amazon.com

  1. On the right side of the page, hover your mouse over the Your Web Services Account button until a menu appears. Click the View Access Key Identifiers link. You will be asked to sign into your account.

  1. Log in using the e-mail address and password of your primary account. If you have never used Amazon Web Services before, you may be asked to create an account.

  1. Scroll down the AWS Access Identifiers page to the X.509 Certificate section.

    • If you already have a certificate with AWS, click the Upload button.

    • If you haven't already created a certificate with AWS, click Create New.

  2. In the next page, you will be warned that uploading a certificate will replace any older certificates you have already associated with your account. If that is OK, click Yes to continue.

    • If you are uploading an existing certificate, click the Browse button to open a file selection dialog box where you can locate your exported .pem certificate. After locating your certificate, click Upload to upload it to AWS.

    • If you are creating a new certificate, you will see a page with two download buttons, one labeled Download Private Key File and the other labeled Download X.509 Certificate. Click Download Private Key File to download the private key, save it to your computer, and move the key to a secure place. Click Download X.509 Certificate and save the file to your computer

Note: While you can download the X.509 certificate (the public key) at any time, be sure you download the private key while you are still on this page—after you leave this page, you cannot download the private key again. AWS does not store the private key and does not provide a way to regenerate the same key values. If you regenerate new key values, your existing keys are invalidated.

Once you have registered your X.509 certificate with Amazon Web Services, you are ready to begin signing your Event Notification Web Service requests using WS-Security. For details, see the documentation for your chosen programming language and Web Services toolkit, or the SDKs provided by Amazon Services. Some additional examples can be found on the Amazon Web Services portal at http://aws.amazon.com.


 文章来源:亚马逊官方网站