Amazon s3 amazon S3 bucket策略-限制referer的访问,但不限制URL是否通过查询字符串身份验证生成
我在我的存储桶上设置了以下存储桶策略:Amazon s3 amazon S3 bucket策略-限制referer的访问,但不限制URL是否通过查询字符串身份验证生成,amazon-s3,query-string,amazon,bucket,Amazon S3,Query String,Amazon,Bucket,我在我的存储桶上设置了以下存储桶策略: { "Version": "2008-10-17", "Id": "My access policy", "Statement": [ { "Sid": "Allow only requests from our site", "Effect": "Allow", "Principal": { "AWS": "*"}, "Action": "s3:GetObject", "Resource": "arn:aws:s3:
{
"Version": "2008-10-17",
"Id": "My access policy",
"Statement": [
{
"Sid": "Allow only requests from our site",
"Effect": "Allow",
"Principal": { "AWS": "*"},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_bucket/*",
"Condition": {
"StringLike": {
"aws:Referer": [" http://mydomain.com/*"," http://www.mydomain.com/*"]
}
}
},
{
"Sid": "Dont allow direct acces to files when no referer is present",
"Effect": "Deny",
"Principal": {"AWS": "*" },
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_bucket/*",
"Condition": {
"Null": {"aws:Referer": true }
}
}
]
}
我也配置了,但看起来不能同时配置这两个。如果我的bucket策略设置为拒绝任何并非源自mydomain的请求,那么使用查询字符串身份验证的临时url也不会得到服务。所以我的问题是,我怎么能两者兼得呢?有没有办法检查url参数,看看它是否有一个名为“Signature”的参数,在这种情况下不应用referer策略?删除Referers字符串“*”中的空格这是错误的。。。亚马逊的例子也犯了这个错误 对于第二条语句,更简单的解决方法是删除整个语句,并将您的文件权限(ACL)设置为private(Owner Read/Write和World NoRead/NoWrite) 我不确定,但在中,即使您有一个Deny语句,如果文件具有公共权限(World read),仍然可以读取该文件 此外,如果您在CloudFront上分发文件,请记住允许它也读取存储桶。因此,完整的桶策略将如下所示:
{
"Version": "2008-10-17",
"Id": "YourNetwork",
"Statement": [
{
"Sid": "Allow get requests to specific referrers",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::yourbucket/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.yourwebsite.com/*",
"http://yourwebsite.com/*"
]
}
}
},
{
"Sid": "Allow CloudFront get requests",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678:root"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::yourbucket/*"
}
]
}
(将12345678更改为不带破折号的AWS帐户ID号)谢谢您的回答。这些信息将在以后派上用场。现在,我为不同的目的使用具有不同过期时间的签名链接。