仅在从某些域发出请求时限制对AWS S3 Bucket Objects的访问

时间:2017-04-01 10:11:28

标签: amazon-web-services amazon-s3 policy

我创建了一个存储桶策略,尝试停止从获取直接网址的用户链接到我的S3文件。我只希望我的网站能够访问这些文件。但是,当我使用以下策略直接链接时,它仍然允许访问该文件。这些文件都设置为公开。

{
    "Id": "Policy1491040992219",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt14910401236760",
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::bucketname/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": "https://mywebsite.com/*"
                }
            },
            "Principal": "*"
        },
        {
            "Sid": "Stmt14910403436760",
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::bucketname/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": "http://localhost:8888/*"
                }
            },
            "Principal": "*"
        }
    ]
}

我是否需要更改实际S3存储桶设置的任何设置才能停止所有访问?

谢谢!

1 个答案:

答案 0 :(得分:0)

您缺少拒绝语句。试试这个政策:

{
    "Version": "2008-10-17",
    "Id": "Policy1491040992219",
    "Statement": [
        {
            "Sid": "Stmt14910401236760",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucketname/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "https://mywebsite.com/*",
                        "http://localhost:8888/*"
                    ]
                }
            }
        },
        {
            "Sid": "Stmt14910401236761",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucketname/*",
            "Condition": {
                "StringNotLike": {
                    "aws:Referer": [
                        "https://mywebsite.com/*",
                        "http://localhost:8888/*"
                    ]
                }
            }
        }
    ]
}