通过查询字符串通过Route53 A记录访问私有内容到s3存储桶

Question

I am attempting to restrict access to file resources stored in an S3 bucket using a query string with a specified time to live, (as outlined here http://birkoff.net/blog/amazon-s3-query-string-authentication-using-php/ ) to an alias of my bucket. eg in Route53 I have an A record of type Alias, securefiles.mysite.com pointing the S3 Alias securefiles.mysite.com.s3-website-ap-southeast-2.amazonaws.com .

This works very well with for a file addressed using the standard S3 addresses: securefiles.mysite.com.s3-ap-southeast-2.amazonaws.com/privateresource.png?biglongquerystring or securefiles.mysite.com.s3.amazonaws.com/privateresource.png?biglongquerystring but when I attempt to link it using the shorter securefiles.mysite.com/privateresource.png?biglongquerystring , it fails with a 403, Access Denied message.

For the sake of investigation, I edited the bucket policy to allow all users access to all bucket resources

{
"Version": "2008-10-17",
"Statement": [
    {
        "Sid": "PublicReadGetObject",
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::securefiles.mysite.com/*"
    }
]

}

The query string now works to the shorter address but it is no longer secured as all user now have access.

I have also attempted to "not enable web site hosting" to my bucket which again works fine for the full S3 address, securefiles.mysite.com.s3.amazonaws.com/privateresource.png?biglongquerystring but fails with a 404 NoSuchWebsiteConfiguration when addressing the shorter securefiles.mysite.com/privateresource.png?biglongquerystring

Any ideas on how I can securely address files in an S3 bucket from a Route53 A record to the my S3 bucket alias?

Answer 1

I performed the following tasks:

• Created a bucket in Amazon S3 named images.my-domain.com
• Uploaded a file into the bucket
• Created a Record Set in Amazon Route 53 (A record, Alias = Yes, Alias Target = s3-website-ap-southeast-2.amazonaws.com -- yes, I'm in Sydney too)

Test 1 - Direct access: Clicking the object link in Amazon S3 ( s3-ap-southeast-2.amazonaws.com/images.my-domain.com/picture.jpg ) returned AccessDenied as expected, since there are no permissions on the object.

Test 2 - Direct Pre-Signed URL: Using a Pre-Signed URL (created via BucketExplorer ) on the object in S3 (using the normal S3 URL) successfully provided access to the object. This is to be expected.

Test 3 - Alias access: Accessing the object link in Amazon S3, but changing it to use the domain name directly ( images.my-domain.com/picture.jpg ) returned AccessDenied as expected.

Test 4 - Alias access with Pre-Signed URL: Accessing via the static website URL with Pre-Signed URL failed . This is consistent with the problem you have experienced.

Therefore, I agree that it does not seem possible to use a Pre-Signed URL together with a Route 53 alias to a static S3 website.

I then tested it further, using the Amazon S3 static website URL:

Tst 5 - S3 Static website URL with Pre-Signed URL: This test tried to access the private file via the static website URL( images.my-domain.com.s3-website-ap-southeast-2.amazonaws.com/picture.jpg ) together with the Signature. This also returned AccessDenied .

Therefore, the problem doesn't seem to be with the Route 53 URL. Rather, Pre-Signed URLs don't seem to work via the Static Website URL. Since Route 53 uses the Static URL, that fails too.