我有一个回形针文本文件附件(在 Rails 中)。
我的存储桶政策是:
{
"Version": "2008-10-17",
"Id": "Policy123",
"Statement": [
{
"Sid": "Stmt123",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my_bucket/*"
}
]
}
我想限制仅当请求来自我的网站时才允许访问这些操作。是否只是将其更新为: "Principal": {"AWS": "mywebsite.com"} ?
您可以在S3文档
中查看一些示例要限制从您的网站的访问,您可以使用Referrer上的条件:
{
"Version":"2008-10-17",
"Id":"http referer policy example",
"Statement":[
{
"Sid":"Allow get requests referred by www.mysite.com and mysite.com",
"Effect":"Allow",
"Principal":"*",
"Action":"s3:GetObject",
"Resource":"arn:aws:s3:::example-bucket/*",
"Condition":{
"StringLike":{
"aws:Referer":[
" http://www.mysite.com/*",
" http://mysite.com/*"
]
}
}
}
]
}
桶政策:
{
"Version": "2012-10-17",
"Id": "http referer policy example",
"Statement": [
{
"Sid": "Allow get requests originating from www.example.com and example.com.",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::00000000:user/example-user" // IAM User ARN
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-example/*", // bucket ARN
"Condition": {
"StringLike": {
"aws:Referer": [
"http://example.com/*" // Website link
]
}
}
}
]
}
以上答案是一半,几年前它们曾经有效。但到 2024 年,你必须混合使用 2 项政策才能使事情发挥作用。
{
"Version": "2012-10-17",
"Id": "Policy1614793348558",
"Statement": [
{
"Sid": "AllowOnlyWebsiteAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket-name/*",
"Condition": {
"StringLike": {
"aws:Referer": "https://your-website.com/*"
}
}
},
{
"Sid": "DenyAllOthers",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your-bucket-name/*",
"Condition": {
"StringNotLike": {
"aws:Referer": "https://your-website.com/*"
}
}
}
]
}