AWS S3存储桶策略 - 如何仅允许从我的网站访问?

时间:2012-10-26 20:22:30

标签: ruby-on-rails amazon-s3 paperclip

我有一个回形针文本文件附件(在Rails中)。

我的存储桶政策是:

{
    "Version": "2008-10-17",
    "Id": "Policy123",
    "Statement": [
        {
            "Sid": "Stmt123",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:GetObjectVersion",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::my_bucket/*"
        }
    ]
}

我想限制访问这些操作,只有在我的网站发出请求时才允许这样做。只是将其更新为“Principal”:{“AWS”:“mywebsite.com”}?

2 个答案:

答案 0 :(得分:7)

您可以查看S3 Documentations

中的一些示例

要限制从您的网站访问,您可以使用推荐人上的条件:

{
  "Version":"2008-10-17",
  "Id":"http referer policy example",
  "Statement":[
    {
      "Sid":"Allow get requests referred by www.mysite.com and mysite.com",
      "Effect":"Allow",
      "Principal":"*",
      "Action":"s3:GetObject",
      "Resource":"arn:aws:s3:::example-bucket/*",
      "Condition":{
        "StringLike":{
          "aws:Referer":[
            " http://www.mysite.com/*",
            " http://mysite.com/*"
          ]
        }
      }
    }
  ]
}

答案 1 :(得分:0)

时段政策:

{
    "Version": "2012-10-17",
    "Id": "http referer policy example",
    "Statement": [
        {
            "Sid": "Allow get requests originating from www.example.com and example.com.",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::00000000:user/example-user" // IAM User ARN
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket-example/*", // bucket ARN
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "http://example.com/*" // Website link
                    ]
                }
            }
        }
    ]
}
相关问题
最新问题