我的AS3存储桶策略仅适用于某些对象 [英] My AS3 Bucket Policy only applies to some Objects

问题描述

设置存储桶策略非常困难，看来存储桶策略仅适用于存储桶中的某些对象.

I'm having a really hard time setting up my bucket policy, it looks like my bucket policy only applies to some objects in my bucket.

我想要的非常简单:我将视频文件存储在存储桶中，并希望可以从我的网站上专门下载这些文件.

What I want is pretty simple: I store video files in the bucket and I want them to be exclusively downloadable from my webiste.

我的方法是默认情况下阻止所有内容，然后添加允许规则:

My approach is to block everything by default, and then add allow rules:

• 授予root和Alice用户的完整权限.
• 仅允许特定引用者(我的网站)公开访问我的存储桶中的文件.

注意:我手动将所有对象设置为公共"，并且阻止公共访问"的设置都设置为关".

Note: I manually made all the objects 'public' and my settings for Block Public Access are all set to Off.

有人可以在我的存储桶策略中看到任何明显的错误吗?我不明白为什么我的政策似乎只对某些文件有效.非常感谢

Can anyone see any obvious errors in my bucket policy? I don't understand why my policy seems to only work for some files. Thank you so much

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::MY_BUCKET/*",
            "Condition": {
                "StringNotLike": {
                    "aws:Referer": [
                        "https://mywebsite1.com/*",
                        "https://mywebsite2.com/*"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::MY_BUCKET/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "https://mywebsite1.com/*",
                        "https://mywebsite2.com/*"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::426873019732:root",
                    "arn:aws:iam::426873019732:user/alice"
                ]
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::MY_BUCKET",
                "arn:aws:s3:::MY_BUCKET/*"
            ]
        }
    ]
}

推荐答案

通过 aws:Referer 控制访问不安全.可以很容易地克服它.简单的网络搜索将提供许多可以实现此目的的工具.

Controlling access via aws:Referer is not secure. It can be overcome quite easily. A simple web search will provide many tools that can accomplish this.

更安全的方法是:

• 将Amazon S3存储桶中的所有对象保持私有状态(不要公开")
• 不要不使用存储桶策略
• 用户应对您的应用程序进行身份验证
• 当用户希望访问其中一个视频时，或者当您的应用程序创建引用/嵌入视频的HTML页面时，应用程序应确定用户是否有权访问.
• 如果用户有权访问该对象，则应用程序会创建一个 Amazon S3预签名URL ，该URL提供对私有对象的限时访问./li>
• 当用户的浏览器请求通过预签名URL检索对象时，Amazon S3将验证URL的内容.如果URL有效且时限尚未到期，则Amazon S3将返回对象(例如视频).如果时间到期，将不提供内容.

• Keep all objects in your Amazon S3 bucket private (do not "Make Public")
• Do not use a Bucket Policy
• Users should authenticate to your application
• When a user wishes to access one of the videos, or when your application creates an HTML page that refers/embeds a video, the application should determine whether the user is entitled to access the object.
• If the user is entitled to access the object, the application creates an Amazon S3 pre-signed URL, which provides time-limited access to a private object.
• When the user's browser requests to retrieve the object via the pre-signed URL, Amazon S3 will verify the contents of the URL. If the URL is valid and the time limit has not expired, Amazon S3 will return the object (eg the video). If the time has expired, the contents will not be provided.

可以通过几行代码来创建预签名的URL，而无需通过API回调到Amazon S3.

The pre-signed URL can be created in a couple of lines of code and does not require and API call back to Amazon S3.

使用预签名URL的好处在于，您的应用程序确定谁有权查看对象.例如，用户可以选择与其他用户共享视频.您的应用程序将允许其他用户观看此共享视频.不需要对IAM或存储桶策略进行任何更改.

The benefit of using pre-signed URLs is that your application determines who is entitled to view objects. For example, a user could choose to share a video with another user. Your application would permit the other user to view this shared video. It would not require any changes to IAM or bucket policies.

请参阅: Amazon S3预签名URL

此外，如果您希望授予特定IAM用户(即组织内的用户，而不是应用程序用户)对Amazon S3存储桶的访问权限，最好授予对IAM用户，而不是通过Amazon S3存储桶.如果有很多用户，则可以创建一个包含多个IAM用户的 IAM组，然后将该策略放在IAM组上.通常应将存储桶策略用于授予所有人"(而非特定的IAM用户)访问权限.

Also, if you wish to grant access to an Amazon S3 bucket to specific IAM Users (that is, users within your organization, rather than application users), it is better to grant access on the IAM User rather than via an Amazon S3 bucket. If there are many users, you can create an IAM Group that contains multiple IAM Users, and then put the policy on the IAM Group. Bucket Policies should generally be used for granting access to "everyone" rather than specific IAM Users.

通常，建议避免使用 Deny 策略，因为它们可能难以正确编写，并且可能会无意中拒绝对您的管理员的访问.最好限制所允许的内容，而不是必须组合使用Allow和Deny.

In general, it is advisable to avoid using Deny policies since they can be difficult to write correctly and might inadvertently deny access to your Admin staff. It is better to limit what is being Allowed, rather than having to combine Allow and Deny.

这篇关于我的AS3存储桶策略仅适用于某些对象的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！