amazon-s3 - Amazon s3 存储桶策略限制访问无效

Question

我想限制亚马逊 s3 中的所有公共访问文件，除了某些站点（使用引用者），
目前我有这个存储桶策略

{
"Id":"foosite-test",
"Statement":[
  {
     "Sid": "Allow from foosite admin",
     "Action": "s3:GetObject",
     "Effect": "Allow",
     "Resource": "arn:aws:s3:::mybucket/*",
     "Principal": {
        "AWS":["*"]
     },
     "Condition": {
        "StringLike": {
               "aws:Referer": [
              "http://www.foosite.co.uk/admin/*",
              "http://www.foosite.co.au/admin/*"
           ]
        }
     }
  }
  ]
}

但似乎这个政策没有效果。我可以复制粘贴 s3 对象 url 并且仍然可以访问该文件。这个政策有什么问题？

Answer 1

You need to add policy for deny also, that is to block all the other referer. I had answered similar question, but did not included the deny part in that sample policy. You can find my updated answer here: Amazon S3 objects: is it possible to restrict public read policy to some IP adresses only ?

In your case you have to use referer instead of IP.