12

我有一个回形针文本文件附件(在 Rails 中)。

我的存储桶策略是:

{
    "Version": "2008-10-17",
    "Id": "Policy123",
    "Statement": [
        {
            "Sid": "Stmt123",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:GetObjectVersion",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::my_bucket/*"
        }
    ]
}

我想限制只有当请求来自我的网站时才允许访问这些操作。是否只是将其更新为: "Principal": {"AWS": "mywebsite.com"} 的情况?

4

2 回答 2

16

您可以在S3 文档中查看一些示例

要限制从您的网站访问,您可以使用Referrer上的条件:

{
  "Version":"2008-10-17",
  "Id":"http referer policy example",
  "Statement":[
    {
      "Sid":"Allow get requests referred by www.mysite.com and mysite.com",
      "Effect":"Allow",
      "Principal":"*",
      "Action":"s3:GetObject",
      "Resource":"arn:aws:s3:::example-bucket/*",
      "Condition":{
        "StringLike":{
          "aws:Referer":[
            " http://www.mysite.com/*",
            " http://mysite.com/*"
          ]
        }
      }
    }
  ]
}
于 2012-11-29T13:20:50.253 回答
5

桶策略:

{
    "Version": "2012-10-17",
    "Id": "http referer policy example",
    "Statement": [
        {
            "Sid": "Allow get requests originating from www.example.com and example.com.",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::00000000:user/example-user" // IAM User ARN
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket-example/*", // bucket ARN
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "http://example.com/*" // Website link
                    ]
                }
            }
        }
    ]
}
于 2019-07-21T17:00:59.887 回答