限制S3对象对来自特定域的请求的访问 [英] Restrict S3 object access to requests from a specific domain

问题描述

我在S3中有视频文件，还有一个简单的播放器，可以通过src属性加载这些文件.

I have video files in S3 and a simple player that loads the files via an src attribute.

我希望仅通过我的网站观看视频，而不是直接通过S3 URL(可能在页面的源代码中显示或通过右键单击访问)来观看视频

I want the videos to only be viewed through my site and not directly via the S3 URL (which might be visible in the source code of the page or accessible via right clicking)

仔细查看AWS文档，看来我可以通过HTTP做到这一点的唯一方法是将签名和到期日期附加到查询中，但这还不够.其他访问限制是针对AWS用户的.

Looking through the AWS docs it seems the only way i can do this via HTTP is to append a signature and expiration date to a query but this isn't sufficient. Other access restrictions refer to AWS users.

如何解决此问题或实现此服务器/客户端?

How do i get around this or implement this server/client side?

推荐答案

我认为您可以从管理界面中设置存储桶策略.语法有所不同(例如，您可以围绕 deny 或 allow 条件构建策略)，并根据特定的文件名进行过滤，尽管我更喜欢拆分媒体类型放入离散的水桶

I think a Bucket Policy - which you can set up from the admin interface - will do this. There are some variations on the syntax (you can build your policy around a deny or an allow condition for instance) and filter on specific filenames, though I prefer to split media types into discrete buckets

{
"Version": "2008-10-17",
"Id": "Restrict based on HTTP referrer policy",
"Statement": [
    {
        "Sid": "1",
        "Effect": "Deny",
        "Principal": {
            "AWS": "*"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::mybucket/myprefix/*",
        "Condition": {
            "StringNotLike": {
                "aws:Referer": [
                    "http://www.mydomain.com/*",
                    "http://www.subdomain.mydomain.com/*"
                ]
            }
        }
    }
]
}

这篇关于限制S3对象对来自特定域的请求的访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！