仅当从某些域发出请求时限制对AWS S3存储桶对象的访问

我已经创建了一个存储桶策略来尝试停止从获取直接URL的人链接到我的S3文件。我只希望我的网站能够访问这些文件。但是，当我直接链接到下面的策略时，它仍然允许访问该文件。这些文件都设置为公开。仅当从某些域发出请求时限制对AWS S3存储桶对象的访问

{ 
    "Id": "Policy1491040992219", 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
      "Sid": "Stmt149104", 
      "Action": [ 
       "s3:GetObject" 
      ], 
      "Effect": "Allow", 
      "Resource": "arn:aws:s3:::bucketname/*", 
      "Condition": { 
       "StringLike": { 
        "aws:Referer": "https://mywebsite.com/*" 
       } 
      }, 
      "Principal": "*" 
     }, 
     { 
      "Sid": "Stmt14910403436760", 
      "Action": [ 
       "s3:GetObject" 
      ], 
      "Effect": "Allow", 
      "Resource": "arn:aws:s3:::bucketname/*", 
      "Condition": { 
       "StringLike": { 
        "aws:Referer": "http://localhost:8888/*" 
       } 
      }, 
      "Principal": "*" 
     } 
    ] 
}

我是否需要更改实际S3存储桶设置的任何设置以停止所有访问？

谢谢！

来源

2017-04-01 DIM3NSION

您错过了Deny声明。试试这个政策：

{ 
    "Version": "2008-10-17", 
    "Id": "Policy1491040992219", 
    "Statement": [ 
     { 
      "Sid": "Stmt149104", 
      "Effect": "Allow", 
      "Principal": { 
       "AWS": "*" 
      }, 
      "Action": "s3:GetObject", 
      "Resource": "arn:aws:s3:::bucketname/*", 
      "Condition": { 
       "StringLike": { 
        "aws:Referer": [ 
         "https://mywebsite.com/*", 
         "http://localhost:8888/*" 
        ] 
       } 
      } 
     }, 
     { 
      "Sid": "Stmt149104", 
      "Effect": "Deny", 
      "Principal": { 
       "AWS": "*" 
      }, 
      "Action": "s3:GetObject", 
      "Resource": "arn:aws:s3:::bucketname/*", 
      "Condition": { 
       "StringNotLike": { 
        "aws:Referer": [ 
         "https://mywebsite.com/*", 
         "http://localhost:8888/*" 
        ] 
       } 
      } 
     } 
    ] 
}

来源

2017-04-01 13:03:13

我怀疑这些对象上有'x-amz-acl：public-read'，并且根据所需的全部结果，应该通过删除该对象来应用修补程序。 –

仅当从某些域发出请求时限制对AWS S3存储桶对象的访问

回答

相关问题