亚马逊S3斗政策 - 限制被引用者的访问,但没有限制,如果通过查询字符串身份验证生成的URL [英] amazon S3 bucket policy - restricting access by referer BUT not restricting if urls are generated via query string authentication
问题描述
我有以下斗政策我斗设置:
I have the following bucket policy set on my bucket:
{
"Version": "2008-10-17",
"Id": "My access policy",
"Statement": [
{
"Sid": "Allow only requests from our site",
"Effect": "Allow",
"Principal": { "AWS": "*"},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_bucket/*",
"Condition": {
"StringLike": {
"aws:Referer": [" http://mydomain.com/*"," http://www.mydomain.com/*"]
}
}
},
{
"Sid": "Dont allow direct acces to files when no referer is present",
"Effect": "Deny",
"Principal": {"AWS": "*" },
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_bucket/*",
"Condition": {
"Null": {"aws:Referer": true }
}
}
]
}
我还配置<一href="http://s3.amazonaws.com/quotes/nelson?AWSAccessKeyId=44CF9590006BF252F707&Expires=1141889120&Signature=vjbyPxybdZaNmGa%2byT272YEAiv4=">query字符串认证,但它看起来像我不能兼得。如果我有我的水桶政策设置为拒绝不从MYDOMAIN发起的任何请求,使用查询字符串验证我的临时网址也不会得到服务。所以我的问题是,我该如何兼得?有没有一种方法来检查URL参数,看看它是否有一个名为签名的参数,并在这种情况下不适用的引荐策略?
I also configured query string authentication, but it looks like I can't have both. If I have my bucket policies set to deny any request that doesn't originate from mydomain, my temporary url using query string authentication will also not get served. So my question is, how can i have both ? Is there a way to check for url parameters and see if it has a parameter called "Signature" and in that case not apply the referer policy?
推荐答案
删除的引荐字符串空间 http://mydomain.com/ *这是错误的...亚马逊的例子也犯了那个错误。
Remove the space in the referrers string " http://mydomain.com/*" that's wrong... the Amazon examples made that mistake too.
有关第二条语句的简单的方法来解决这个问题是要删除整条语句,让你的文件的权限(访问控制列表)设置为私有(所有者读/写和世界拒读/ NOWRITE)
For the second statement the easier way to solve it is to remove that entire statement and have your files permissions (ACLs) set to private (Owner-Read/Write and World-NoRead/NoWrite)
我不知道,但看来,即使你有一个拒绝声明文件仍然可以,如果它有一个公共的权限读取(世界读)。
I am not sure, but in appears that even if you have a Deny Statement a file can still be read if it has a public permission (World Read).
另外,如果您正在分发的CloudFront的文件记得要使它能够访问桶了。因此,一个完整的桶政策将是这样的:
Also, if you are distributing the files on CloudFront remember to allow it to read the bucket too. So a complete bucket policy will look like:
{
"Version": "2008-10-17",
"Id": "YourNetwork",
"Statement": [
{
"Sid": "Allow get requests to specific referrers",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::yourbucket/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.yourwebsite.com/*",
"http://yourwebsite.com/*"
]
}
}
},
{
"Sid": "Allow CloudFront get requests",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678:root"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::yourbucket/*"
}
]
}
(改变12345678到您的AWS帐户ID号码没有破折号)
(change the 12345678 to your AWS account ID number without the dashes)
这篇关于亚马逊S3斗政策 - 限制被引用者的访问,但没有限制,如果通过查询字符串身份验证生成的URL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
