在公共读取URL上对Amazon s3的用户级别权限 [英] User level permissions on Amazon s3 on Public read URL

问题描述

我在CanvasChannelList作为PublicRead的Amazon s3上上传了一些文件.请记住，只有此文件具有公共读取权限，而不是整个存储桶或文件夹.用户将可以使用给定的URL访问该文件.但这是一个安全问题，用户可以操纵该给定URL来访问相同或不同文件夹中的其他文件. 用户在击中该URL时，读取文件时是否需要发送某种身份验证密钥的方法，以及如何让用户知道他们必须使用哪个身份验证密钥? 我已经阅读了有关IAM用户的信息，但这是用于上传文件以及所有其他信息.我只想在使用URL读取数据时进行一些认证.

I have uploaded few files on Amazon s3 with CannedChannelList as PublicRead. Remember only this file has public read permissions, not the whole bucket or folder. And user will be able to access that file using given URL. But here is one security concern which is user can manipulate that given URL to access other files in the same or different folder. Is there any way that user will need to send some authentication key while hitting that URL, while reading the file and how can I let users know which authentication key they have to use? I've read about IAM users but that is for uploading file and all that. I just want some authentication while reading data using URL.

数据是由单个管理员用户上传的，但是，所有用户都已将数据发送到我的服务器，而我正在使用单个管理员用户上传S3上的所有用户.

Data was uploaded by single admin user, however, all users sent data to my server and I am using single admin user for uploading all of those on S3.

这是我用于管理员用户的政策.

This is the policy I am using for admin user.

if(isBucketExist(bucketName)){
                Statement allowPublicReadStatement = new     Statement(Statement.Effect.Allow) 
                        .withPrincipals(Principal.AllUsers) 
                        .withActions(S3Actions.GetObject)
                        .withResources(new S3ObjectResource(bucketName, "*"));
Policy policy = new Policy()
                        .withStatements(allowPublicReadStatement
                                                        );
amazonS3.setBucketPolicy(bucketName, policy.toJson());
            }

这是上传数据时的CannedChannelList

And this is the CannedChannelList while uploading data

InitiateMultipartUploadRequest(bucketName, folderName).withCannedACL(CannedAccessControlList.PublicRead);

推荐答案

您是否尝试对IAM策略使用"s3:GetObject"操作，然后可以指定资源arn，例如"arn:aws:s3 :::" examplebucket/*"或您希望用户具有读取权限的任何特定前缀.

Have you tried using the "s3:GetObject" action on a IAM policy and then you can specify the resource arn like "arn:aws:s3:::examplebucket/*" or any specific prefix you want the users to have read access to.

IAM政策的示例如下:

An example of IAM policy would be like:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowListingOfS3",
        "Action": [
            "s3:ListBucket"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::bucket-name"
        ],
        "Condition": {
            "StringLike": {
                "s3:prefix": [
                    "folder/sub-folder/*"
                ]
            }
        }
    },
    {
        "Sid": "AllowAllS3ActionsInFolder",
        "Effect": "Allow",
        "Action": [
            "s3:GetObject"
        ],
        "Resource": [
            "arn:aws:s3:::bucket-name/folder/sub-folder/*"
        ]
    }
]
}

这篇关于在公共读取URL上对Amazon s3的用户级别权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！