创建一个S3存储桶策略,该策略允许访问Cloudfront但限制对其他任何人的访问 [英] Creating an S3 bucket policy that allows access to Cloudfront but restricts access to anyone else
问题描述
我有以下政策:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "Stmt1395852960432",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1IYJC432545JN"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
但是,这拒绝了所有请求者的请求,甚至是Cloudfront。正确的方法是什么?
However, this is denying requests from all requestors, even Cloudfront. What is the correct way to do this?
问题是对象是由客户端创建的,具有公共读取权限。我目前没有客户端的直接控制权来更改此设置。因此,我要制定一个覆盖单个对象ACL的策略。因此,默认拒绝在这里不起作用。
The problem is that objects are created by the client with public read. I currently do not have immediate control of the client to change this setting. So what I want is to have a policy that overrides individual object ACL. So default deny here does not work.
推荐答案
S3策略如下所示:
The S3 policy will look like something like this:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::YYYYYYYYYYYYY.com/*"
}
]
}
但是,我没有手动生成它。在Cloudfront中添加原点(S3)时,您可以选择限制存储桶访问-在此处说是并继续前进。
But, I didnt manually generate this. When you add an origin (S3) in cloudfront, you have an option to "Restrict Bucket Access" - tell "Yes" here and move forward. Cloudfront configuration will do the rest automatically for you.
此处的详细信息:使用原始访问身份来限制对Amazon S3内容-Amazon CloudFront 的访问。
Details here: Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content - Amazon CloudFront.
这篇关于创建一个S3存储桶策略,该策略允许访问Cloudfront但限制对其他任何人的访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
