拒绝访问用户代理以访问AWS S3中的存储桶 [英] Deny access to user agent to access a bucket in AWS S3

问题描述

在我的S3日志中，我看到来自NSPlayer的多个请求，所有请求如下所示:

In my S3 logs I see multiple requests from NSPlayer and all the requests are like below:

[29/Feb/2016:23:07:27 +0000] 188.71.221.62-07231C9924A44C67 REST.GET.OBJECT 16639/tracks/7ed00e05502aeb383d8a1abde2.mp3

[29/Feb/2016:23:07:27 +0000] 188.71.221.62 - 07231C9924A44C67 REST.GET.OBJECT 16639/tracks/7ed00e05502aeb383d8a1abde2.mp3

"GET/bucket/16639/tracks/7ed00e05502aeb383d8a1abde2.mp3 HTTP/1.1" 200 -4122705 5639543 6305 58

"GET /bucket/16639/tracks/7ed00e05502aeb383d8a1abde2.mp3 HTTP/1.1" 200 - 4122705 5639543 6305 58

" http://m.xxxxxxw.com /""NSPlayer/12.00.9651.0000 WMFSDK/12.00.9651.0000-

"http://m.xxxxxxw.com /" "NSPlayer/12.00.9651.0000 WMFSDK/12.00.9651.0000" -

我想拒绝对此用户代理的访问，并且我已经编写了存储桶策略以及拒绝访问的用户策略.但是，仍然不会拒绝访问.您能帮我弄清楚为什么会发生这种情况吗?

I want to deny access to this useragent and I have written the bucket policy as well as the user policy to deny the access. However, still the access is not getting denied. Could you please help me to figure out why its happening?

以下是存储桶策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmtxxxxxxxxx0",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxxxxx3:user/bucket"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::bucket/*",
            "Condition": {
                "StringNotLike": {
                    "aws:UserAgent": "NSPlayer"
                }
            }
        }
    ]
}

请让我知道如何解决此问题！

Please let me know how to fix this!

推荐答案

这是我从亚马逊获得的答复:

This is the reply I got from Amazon:

您几乎在存储桶上都有正确的策略来阻止来自该用户代理的访问.棘手的部分是您允许通过公共读取的ACL访问单个对象，因此不能在存储桶上使用限制性的允许"语句.您需要明确拒绝该用户代理执行GET请求.

You almost have the correct policy on the bucket to block access from that user agent. The tricky part is that you're allowing access to the individual objects via public-read ACLs, so you can't use an restrictive "Allow" statement on the bucket. You'll need to explicitly deny that user agent from performing GET requests.

示例: { "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Principal": "*", "Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*", "Condition": { "StringLike": { "aws:UserAgent": "*NSPlayer*" } } }] }

Example: { "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Principal": "*", "Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*", "Condition": { "StringLike": { "aws:UserAgent": "*NSPlayer*" } } }] }

如果NSPlayer在UserAgent字符串中，则上述策略将阻止从任何地方对存储桶的任何访问.

The above policy will block any access to the bucket from anywhere, if NSPlayer is in the UserAgent string.

与FYI一样，存储桶策略优先于用户策略.

Also as FYI, Bucket Policy takes precedence over the User policy.

这篇关于拒绝访问用户代理以访问AWS S3中的存储桶的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！