我有一个Amazon S3存储桶{
"Version": "2012-10-17",
"Id": "Policy for mybucket",
"Statement": [
{
"Sid": "Allow access to public content only from my.domain.com",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/public/content/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://my.domain.com/*"
]
}
}
}
]
}
并且只想启用对特定嵌套文件夹中内容的访问(或者使用特定的"前缀"在S3条款中)。
我尝试了以下S3存储桶策略,但它不起作用。添加条件后,我开始在浏览器中获取访问被拒绝错误。
{
"Version": "2012-10-17",
"Id": "Policy for mybucket",
"Statement": [
{
"Sid": "Allow access to public content",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/public/content/*"
},
{
"Sid": "Deny access to public content when not on my.domain.com",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/public/content/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"http://my.domain.com/*"
]
}
}
}
]
}
政策应该如何实现这一目标?
答案 0 :(得分:1)
您需要将策略拆分为两个语句。一个允许访问文件夹(前缀),一个拒绝访问,当引用者不是白名单域名之一时:
set(dict1.items()).symmetric_difference(dict2.items())