S3斗政策准入条件 [英] S3 bucket policy access conditions

问题描述

我有一个这样的S3存储政策，拒绝如果引用者不在

I have an s3 bucket policy like this which denies requests if the referer is not listed under

{
    "Sid": "6",
    "Effect": "Deny",
    "Principal": "*",
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::my_bucket_name/*",
    "Condition": {
        "StringNotLike": {
            "aws:Referer": [
                "http://example1.com/*",
                "http://example2.com/*",
                "https://*amazon.com*/*" 
            ]
        }
    }
}

请注意，我试图 HTTPS：//*amazon.com*/*，HTTPS：//*aws.amazon.com*，HTTPS：//*amazon.com*,http：// * amazon.com * 我的问题是，我不能够获得弹性trasn codeRS（AWS的服务之一）引用者当它试图获取一个对象，因此这项工作提供了一个错误是这样的您没有权限从指定斗读取指定的对象所需的。注意一切工作正常，如果我删除策略。所以我的问题是，我应该把弹性TRAN codeRS引荐的？我试过几个组合，并搜查这里和那里，但都在vain.Please也让我知道，如果你认为有更好的方法来此。

note i tried https://*amazon.com*/*, https://*aws.amazon.com* ,https://*amazon.com*,http://*amazon.com* my problem is that I am not able to get elastic trasncoders(one of the aws service) referer when it tries to fetch the object and thus the job gives an error like this "You do not have the permissions required to read the specified object from the specified bucket". Note everything works fine if I remove the policy. So my question is that what should I put elastic trancoders referer as?. I tried couple of combinations and searched here and there but all in vain.Please do let me know if you think that there is a better way to this.

• 更新：

也就是有，我可以通过过滤桶政策一些拒绝请求的方式，例如，在上述情况下，我可以允许的请求而不是来自上面的域，但与一个特定的IP地址。从亚马逊的文档<一href="http://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc"相对=nofollow>此处我看到他们第一次检查明确否认，然后将这些拒绝的请求没有检查是否有解决的办法？ 任何形式的帮助将是非常美联社preciated。感谢您的时间

Also is there is way that i can filter some denied request by bucket policy , for example in above case can i allow a request which is not from above domains but with a particular ip address. from the amazon docs here i saw that first they check for explicit deny and then those deny requests aren't checked is there a way around this?. Any kind of help will be highly appreciated. thanks for your time

推荐答案

而不是创建一个桶政策允许访问亚马逊的弹性跨codeR，权限通过使用跨$服务授予角色C $ CR服务

Rather than creating a Bucket Policy that permits access for Amazon Elastic Transcoder, permissions are granted via the service role used by the Transcoder service.

只要服务角色有权访问的S3文件，应该没有必要通过桶政策给予它。 （虽然我不确定如果您有什么会发生积极的 DENY 在桶政策。）

As long as the service role has permissions to access your files in S3, there should be no need to grant it via the Bucket Policy. (Although I am unsure what would happen if you have an active DENY in the bucket policy.)

请参阅：<一href="https://docs.aws.amazon.com/elastictrans$c$cr/latest/developerguide/access-control.html#access-control-roles"相对=nofollow>服务角色的弹性跨codeR管道

这篇关于S3斗政策准入条件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！