如何启用Amazon S3文件保护 [英] How to enable Amazon S3 Files Protection
问题描述
我正在开发具有两个基于移动(Android&iOs)的应用程序的Web应用程序.当前,上传的文件对所有人开放,这意味着具有直接图像链接的任何人都可以使用网络浏览器打开它.
如何保护或限制移动应用程序或Web应用程序用户的文件访问权限?
NB:作为一个初学者,我不确定要提供的配置详细信息和问题,如果我需要提供有关s3配置的更多详细信息.请指定它,我可以将其添加到问题中以使问题更有意义,对于给您带来的不便,我们深表歉意.
我认为,比预签名URL更为简单的方法是使用Amazon Cognito向受信任的应用程序甚至未经身份验证的用户提供对AWS资源的访问./p>
为此,您将创建一个身份池针对您的应用程序(只需要为所有三个客户端使用一个池),然后对其进行配置,以便当客户端提供有效的身份池ID时,他们可以承担具有访问AWS资源权限的IAM角色.
然后,您可以控制他们承担的IAM角色将拥有哪些S3存储桶权限-您可以允许未经身份验证的用户访问以读取S3对象,或强制他们创建能够读取/写入S3存储桶的帐户(这非常借助Cognito轻松实现-用户可以使用Facebook,Gmail,自己的电子邮件等进行注册.)
此处提供了有关设置的分步指南Cognito的身份池,然后允许未经身份验证的用户承担可以访问S3存储桶内容的IAM角色
以上内容对所有来宾用户帐户产生了相同的权限集-通过将自己识别为身份池的一部分而通过Amazon Cognito承担了IAM角色.
编辑:我应该指出,如果您通过Cognito进行身份验证,则需要通过 解决方案
I think an easier approach than pre-signed urls would be to use Amazon Cognito to provide access to AWS resources to your trusted applications, even to unauthenticated users.
To do this you would create an Identity Pool for your application (just need one pool for all 3 of your clients) and then configure it so that when a client provides a valid Identity Pool Id they can assume an IAM role with permissions to access AWS resources.
Then you control what S3 bucket permissions the IAM role they assume would have - you could allow unauthenticated users access to read the S3 objects, or force them to create accounts to be able to read/write to S3 buckets (this is very easy with Cognito - users can sign up with facebook, gmail, their own email, etc.)
The above causes the same set of permissions for all guest user accounts - that have assumed an IAM role through Amazon Cognito by identifying themselves as part of an identity pool.
edit: I should point out that if you authenticate via Cognito, you'll need to access the S3 bucket through the S3 Transfer Manager from the AWS SDK
这篇关于如何启用Amazon S3文件保护的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
