如何保护公共存储桶中的某些文件/对象? [英] How to protect some files/objects in public bucket?
问题描述
我想创建一个公共read aws s3存储桶,其中某些文件受IAM角色限制读取。
I would like to create a public read aws s3 bucket with some files read restricted by a IAM role.
首先:
- 我使用amplify cli来部署我的静态网站。
- 该网站是一个反应应用
- 该应用具有公共页面/反应组件和管理区域
- 我想限制管理区域/管理页面/管理反应组件aaw IAM角色
- I using amplify cli for deploying my «static» website.
- The website is a react app
- This app have public pages/react components and a admin area
- I would like to restrict admin area/admin pages/admin react components with a aws IAM role
更多详细信息:
react应用程序很大,因此我使用asyncComponent功能拆分了组件,例如 const Dashboard = asyncComponent(()=> import('./ pages / Dashboard'))
因此,当我构建应用程序时,要拥有一个大文件,我会拥有几个小文件。所有这些文件都在同一个存储桶中。
The react app is very big so I splited components using asyncComponent feature like const Dashboard = asyncComponent(() => import('./pages/Dashboard'))
So when I build the app instead to have one big file I have several small files. And all these files are on the same bucket.
现在,我要构建管理页面。始终使用asyncComponent,我们会得到«Admin»文件的集合,并且它们托管在同一存储桶中。但是出于安全原因,我想将访问权限限制为具有特定IAM角色的身份验证用户(例如AdminRole)。
Now I want to build admin pages. Always using asyncComponent we get a collection of «Admin» files and there are hosted on the same bucket. But for security reason I want to restrict access to authenticated users with a certain IAM role (for ex AdminRole).
我从amplify config或AWS中阅读了很多文档:来自CloudFormation的:S3 :: Bucket,我看到了很多不同的信息,告诉我有可能,但是我对这个文档很迷失。
I go through lot of doc from amplify config or AWS::S3::Bucket from cloudFormation and I saw different things that tell me it's possible but I'm very lost in this doc.
所以最后我问:
如何保护具有IAM角色的s3存储桶中的某些文件/对象以读取访问权限?
How can I protect some files/objects for reading access in s3 buckets with a IAM role?
我该如何在react应用程序中标记管理组件?还是通过放大?也许使用正则表达式匹配文件?或指定的文件夹?为了应用此读取限制。
And how can I «tag» admin components in the react app? or via amplify? maybe using regex for match files? or a specified folder? In order to apply this read restriction.
在此先感谢您的答复。
推荐答案
Amazon S3中的内容默认为私有。
Content in Amazon S3 is private by default.
因此,您很高兴世界上的每个人都可以观看可以通过对象上的桶策略(整个桶或部分桶)或对象上的访问控制列表(ACL)公开访问。
Therefore, anything you are happy for everyone in the world to view can be made publicly accessible via a Bucket Policy (whole bucket or part of a bucket) or via Access Control Lists (ACLs) on the objects themselves.
要投放应仅限于特定用户的内容,请利用预签名URL 。这些是限时URL,可提供对Amazon S3中私有对象的临时访问。它们很容易生成(不需要API调用)。
To serve content that should be restricted to specific users, take advantage of Pre-Signed URLs. These are time-limited URLs that provide temporary access to private objects in Amazon S3. They are easy to generate (no API calls required).
工作方式是:
- 用户将对您的应用程序进行身份验证
- 当他们希望访问受限制的内容时,应用程序将确定是否允许他们访问
- 如果允许他们访问,应用程序将生成预签名的URL 。这些也可以在
< a>和< img>标记中使用,以引用页面和图像。 / li>
- 用户将像普通Web组件一样接收/查看内容
- 有效时间结束后,签名的URL将不再起作用
- Users would authenticate with your application
- When they wish to access restricted content, the application would determine whether they are permitted access
- If they are permitted access, the application would generate a pre-signed URL. These can also be used in
<a>and<img>tags to refer to pages and images. - Users will receive/view the content just like normal web components
- Once the expiry time has passed, the pre-signed URLs will no longer work
请参阅:与其他人共享对象-Amazon Simple Storage Service
(我不是放大人,所以我无法说说放大将如何专门生成/使用预签名URL。)
(I'm not an Amplify person, so I can't speak to how Amplify would specifically generate/use pre-signed URLs.)
这篇关于如何保护公共存储桶中的某些文件/对象?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
