我的存储桶上设置了以下存储桶策略:
{
"Version": "2008-10-17",
"Id": "My access policy",
"Statement": [
{
"Sid": "Allow only requests from our site",
"Effect": "Allow",
"Principal": { "AWS": "*"},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_bucket/*",
"Condition": {
"StringLike": {
"aws:Referer": [" http://mydomain.com/*"," http://www.mydomain.com/*"]
}
}
},
{
"Sid": "Dont allow direct acces to files when no referer is present",
"Effect": "Deny",
"Principal": {"AWS": "*" },
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_bucket/*",
"Condition": {
"Null": {"aws:Referer": true }
}
}
]
}
我还配置了query string authentication,但看起来我不能同时拥有这两者。如果我将我的存储桶策略设置为拒绝任何不是源自mydomain的请求,则使用查询字符串身份验证的临时URL也将无法提供。所以我的问题是,我怎么能同时拥有这两个?有没有办法检查url参数,看看它是否有一个名为“Signature”的参数,在这种情况下不应用引用策略?
答案 0 :(得分:18)
删除引用字符串“http://mydomain.com/ *”中的空格,这是错误的......亚马逊的例子也犯了这个错误。
对于第二个语句,解决它的更简单方法是删除整个语句并将您的文件权限(ACL)设置为私有(Owner-Read / Write和World-NoRead / NoWrite)
我不确定,但似乎即使您有拒绝声明,如果文件具有公共权限(World Read),仍然可以读取该文件。
此外,如果您要在CloudFront上分发文件,请记住也允许它读取存储桶。因此,完整的存储桶策略将如下所示:
{
"Version": "2008-10-17",
"Id": "YourNetwork",
"Statement": [
{
"Sid": "Allow get requests to specific referrers",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::yourbucket/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.yourwebsite.com/*",
"http://yourwebsite.com/*"
]
}
}
},
{
"Sid": "Allow CloudFront get requests",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678:root"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::yourbucket/*"
}
]
}
(将12345678更改为您的AWS账户ID号,不带破折号)