开发者

amazon S3 bucket policy - restricting access by referer BUT not restricting if urls are generated via query string authentication

I have the following bucket policy set on my bucket:

{
  "Version": "2008-10-17",
  "Id": "My access policy",
  "Statement": [
    {
      "Sid": "Allow only requests from our site",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my_bucket/*",
      "Condition": {
        "StringLike": {
          "aws:Referer": [
            " http://example.com/*",
            " http://www.example.com/*"
          ]
        }
      }
    },
    {
      "Sid": "Dont allow direct acces to files  when no referer is present",
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my_bucket/*",
      "Condition": {
        "Null": {
          "aws:Referer": true
  开发者_Python百科      }
      }
    }
  ]
}

I also configured query string authentication, but it looks like I can't have both. If I have my bucket policies set to deny any request that doesn't originate from example.com, my temporary url using query string authentication will also not get served. So my question is, how can i have both ? Is there a way to check for url parameters and see if it has a parameter called "Signature" and in that case not apply the referer policy?


Remove the space in the referrers string " http://example.com/*" that's wrong... the Amazon examples made that mistake too (using "mydomain" instead of "example").

For the second statement the easier way to solve it is to remove that entire statement and have your files permissions (ACLs) set to private (Owner-Read/Write and World-NoRead/NoWrite)

I am not sure, but in appears that even if you have a Deny Statement a file can still be read if it has a public permission (World Read).

Also, if you are distributing the files on CloudFront remember to allow it to read the bucket too. So a complete bucket policy will look like:

{
  "Version": "2008-10-17",
  "Id": "YourNetwork",
  "Statement": [
    {
      "Sid": "Allow get requests to specific referrers",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::yourbucket/*",
      "Condition": {
        "StringLike": {
          "aws:Referer": [
            "http://www.yourwebsite.com/*",
            "http://yourwebsite.com/*"
          ]
        }
      }
    },
    {
      "Sid": "Allow CloudFront get requests",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::12345678:root"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::yourbucket/*"
    }
  ]
}

(change the 12345678 to your AWS account ID number without the dashes)

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜