15

我的存储桶上设置了以下存储桶策略:

{

"Version": "2008-10-17",

"Id": "My access policy",

"Statement": [

     {

 "Sid": "Allow only requests from our site",

 "Effect": "Allow",

 "Principal": { "AWS": "*"},

 "Action": "s3:GetObject",

 "Resource": "arn:aws:s3:::my_bucket/*",

 "Condition": {

   "StringLike": {

      "aws:Referer": [" http://mydomain.com/*"," http://www.mydomain.com/*"]

        }

              }

 },

{

   "Sid": "Dont allow direct acces to files  when no referer is present",

   "Effect": "Deny",

   "Principal": {"AWS": "*" },

  "Action": "s3:GetObject",

  "Resource": "arn:aws:s3:::my_bucket/*",

  "Condition": {

  "Null": {"aws:Referer": true }

         }

         }

]

  }

我还配置了查询字符串身份验证,但看起来我不能同时拥有。如果我将存储桶策略设置为拒绝任何不是来自 mydomain 的请求,我的使用查询字符串身份验证的临时 url 也不会得到服务。所以我的问题是,我怎么能两者兼得?有没有办法检查 url 参数并查看它是否有一个名为“签名”的参数,在这种情况下不应用引用策略?

4

1 回答 1

19

删除引用字符串“ http://mydomain.com/ *”中的空格是错误的......亚马逊示例也犯了这个错误。

对于第二个语句,更简单的解决方法是删除整个语句并将您的文件权限 (ACL) 设置为私有(Owner-Read/Write 和 World-NoRead/NoWrite)

我不确定,但似乎即使您有拒绝声明,如果文件具有公共权限(世界读取),仍然可以读取文件。

此外,如果您在 CloudFront 上分发文件,请记住也允许它读取存储桶。所以一个完整的存储桶策略将如下所示:

{
"Version": "2008-10-17",
"Id": "YourNetwork",
"Statement": [
    {
        "Sid": "Allow get requests to specific referrers",
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::yourbucket/*",
        "Condition": {
            "StringLike": {
                "aws:Referer": [
                    "http://www.yourwebsite.com/*",
                    "http://yourwebsite.com/*"
                ]
            }
        }
    },
    {
        "Sid": "Allow CloudFront get requests",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::12345678:root"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::yourbucket/*"
    }
]
}

(将 12345678 更改为您的 AWS 账户 ID 号,不带破折号)

于 2011-06-28T17:58:42.997 回答