堆栈内存溢出
  简体   繁体   English

限制对AWS上S3存储桶的访问

[英]Restrict Access to S3 bucket on AWS

 原文  2014-11-17 11:39:51       amazon-web-services/ amazon-ec2/ amazon-s3

问题描述

I am storing files in a S3 bucket. 我将文件存储在S3存储桶中。 I want the access to the files be restricted. 我想限制对文件的访问。

Currently, anyone with the URL to the file is able to access the file. 当前,具有该文件URL的任何人都可以访问该文件。

I want a behavior where file is accessed only when it is accessed through my application. 我想要一种仅当通过我的应用程序访问文件时才访问文件的行为。 The application is hosted on EC2. 该应用程序托管在EC2上。

Following are 2 possible ways I could find. 以下是我可以找到的2种可能方式。

  1. Use "referer" key in bucket policy. 在存储桶策略中使用“引荐来源网址”键。

  2. Change "allowed origin" in CORS configuration 在CORS配置中更改“允许的来源”

Which of the above 2 should be used, given the fact that 'referer' could be spoofed in the request header. 鉴于可以在请求标头中欺骗“引荐”,因此应使用上面2个中的哪个。

Also can cloudfront play a role over here? Cloudfront还能在这里发挥作用吗?

2 个解决方案

解决方案1
 0  2014-11-20 02:13:22

When dealing with a private S3 bucket, you'll want to use an AWS SDK appropriate for your use case. 在处理私有S3存储桶时,您将需要使用适合您的用例的AWS开发工具包。

Here lies SDKs for many different languages: http://aws.amazon.com/tools/ 这里包含多种语言的SDK: http : //aws.amazon.com/tools/

Within each SDK, you can find sample calls to S3. 在每个SDK中,您都可以找到对S3的示例调用。

If you are trying to make private calls via browser-side JavaScript, you can use CORS . 如果您尝试通过浏览器端JavaScript进行私人呼叫,则可以使用CORS

解决方案2
 0  2014-11-27 09:07:28

I would recommend using a Pre-Signed URL that permits access to private objects stored on Amazon S3. 我建议使用允许访问存储在Amazon S3上的私有对象的预签名URL It is a means of keeping objects secure, yet grant temporary access to a specific object. 这是一种确保对象安全的方法,但可以授予对特定对象的临时访问权限。

It is created via a hash calculation based on the object path, expiry time and a shared Secret Access Key belonging to an account that has permission to access the Amazon S3 object. 它是根据对象路径,到期时间和属于有权访问Amazon S3对象的账户的共享秘密访问密钥通过哈希计算创建的。 The result is a time-limited URL that grants access to the object . 结果是一个限时URL,该URL授予对该对象的访问权限 Once the expiry time passes, the URL does not return the object. 一旦到期时间过去,URL不会返回该对象。

Start by removing existing permissions that grant access to these objects. 首先,删除授予这些对象访问权限的现有权限。 Then generate Pre-Signed URLs to grant access to private content on a per-object basis, calculated every time you reference an S3 object. 然后,生成预签名URL,以基于每个对象授予对私有内容的访问权限,这是在您每次引用S3对象时计算得出的。 (Don't worry, it's fast to do!) (不用担心,这样做很快!)

See documentation: Sample code in Java 请参阅文档: Java示例代码

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS S3和CloudFront限制存储桶访问 - AWS S3 and CloudFront Restrict Bucket Access 限制 AWS S3 存储桶访问,即使来自账户所有者 - Restrict AWS S3 bucket access, even from account owner 如何限制对 AWS s3 存储桶的所有访问 - How to restrict all access to the AWS s3 bucket 如何在 AWS SAM 模板中限制对 S3 存储桶的公共访问 - How restrict public access to S3 Bucket in AWS SAM Template 如何将 AWS S3 存储桶的访问权限限制为特定角色? - How to restrict access to an AWS S3 bucket only to a specific role? AWS S3 存储桶限制访问 - AWS S3 bucket restrict accss 如何通过网络限制S3存储桶访问 - How to restrict S3 bucket access by network 限制管理员用户访问S3存储桶 - Restrict access to a S3 bucket to admin users 限制s3存储桶对特定区域的访问 - Restrict s3 bucket access to specific regions 使用 Cloudfront 限制对 S3 存储桶的访问 - Using Cloudfront to restrict access to S3 bucket
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM