亚马逊 S3 存储桶策略 - 限制引用者的访问，但不限制是否通过查询字符串身份验证生成 url [英] amazon S3 bucket policy - restricting access by referer BUT not restricting if urls are generated via query string authentication

问题描述

我的存储桶设置了以下存储桶策略:

I have the following bucket policy set on my bucket:

{

"Version": "2008-10-17",

"Id": "My access policy",

"Statement": [

     {

 "Sid": "Allow only requests from our site",

 "Effect": "Allow",

 "Principal": { "AWS": "*"},

 "Action": "s3:GetObject",

 "Resource": "arn:aws:s3:::my_bucket/*",

 "Condition": {

   "StringLike": {

      "aws:Referer": [" http://mydomain.com/*"," http://www.mydomain.com/*"]

        }

              }

 },

{

   "Sid": "Dont allow direct acces to files  when no referer is present",

   "Effect": "Deny",

   "Principal": {"AWS": "*" },

  "Action": "s3:GetObject",

  "Resource": "arn:aws:s3:::my_bucket/*",

  "Condition": {

  "Null": {"aws:Referer": true }

         }

         }

]

  }

我还配置了query string authentication="/a>，但看起来我不能同时拥有.如果我将存储桶策略设置为拒绝任何不是来自 mydomain 的请求，则我使用查询字符串身份验证的临时 url 也不会得到服务.所以我的问题是，我怎么能同时拥有?有没有办法检查 url 参数，看看它是否有一个名为签名"的参数，在这种情况下不应用引用策略?

I also configured query string authentication, but it looks like I can't have both. If I have my bucket policies set to deny any request that doesn't originate from mydomain, my temporary url using query string authentication will also not get served. So my question is, how can i have both ? Is there a way to check for url parameters and see if it has a parameter called "Signature" and in that case not apply the referer policy?

推荐答案

去除引用字符串中的空格 " http://mydomain.com/*"，这是错误的……亚马逊的例子也犯了这个错误.

Remove the space in the referrers string " http://mydomain.com/*" that's wrong... the Amazon examples made that mistake too.

对于第二个语句，更简单的解决方法是删除整个语句并将您的文件权限 (ACL) 设置为私有(Owner-Read/Write 和 World-NoRead/NoWrite)

For the second statement the easier way to solve it is to remove that entire statement and have your files permissions (ACLs) set to private (Owner-Read/Write and World-NoRead/NoWrite)

我不确定，但似乎即使您有拒绝声明，如果文件具有公共权限(全局读取)，仍然可以读取文件.

I am not sure, but in appears that even if you have a Deny Statement a file can still be read if it has a public permission (World Read).

此外，如果您在 CloudFront 上分发文件，请记住也允许它读取存储桶.因此，完整的存储桶策略将如下所示:

Also, if you are distributing the files on CloudFront remember to allow it to read the bucket too. So a complete bucket policy will look like:

{
"Version": "2008-10-17",
"Id": "YourNetwork",
"Statement": [
    {
        "Sid": "Allow get requests to specific referrers",
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::yourbucket/*",
        "Condition": {
            "StringLike": {
                "aws:Referer": [
                    "http://www.yourwebsite.com/*",
                    "http://yourwebsite.com/*"
                ]
            }
        }
    },
    {
        "Sid": "Allow CloudFront get requests",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::12345678:root"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::yourbucket/*"
    }
]
}

(将 12345678 更改为您的 AWS 账户 ID 号，不带破折号)

(change the 12345678 to your AWS account ID number without the dashes)

这篇关于亚马逊 S3 存储桶策略 - 限制引用者的访问，但不限制是否通过查询字符串身份验证生成 url的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！