如何为在S3中上传的文件启用AWS-S3-安全策略
[英]How to enable AWS-S3-security policy for files uploaded in S3
问题描述
I am working on application in which we upload customers' videos, pdfs and other confidential documents on S3 bucket. 
我正在开发一个应用程序,其中我们将客户的视频,pdf和其他机密文件上传到S3存储桶中。
Currently, a customer can play these videos in videogular component(Angular component) and PDF files can be read in PDF component.(Angular Component) 当前,客户可以在videogular组件(Angular组件)中播放这些视频,并且可以在PDF组件(Angular Component)中读取PDF文件。
My concern is about its security. 我担心它的安全性。
I want that customers can play/read only their video/pdf. 我希望客户只能播放/阅读他们的视频/ pdf。 No one can download/play/read these things. 没有人可以下载/播放/阅读这些内容。
1.) How can I achieve that? 1.) 我该如何实现?
2.) Which are the things which I have to enable/disable on my S3 bucket. 2.)我必须在S3存储桶上启用/禁用哪些功能。 (S3 Bucket policy) (S3存储桶策略)
3.) We do not have IAM roles configured. 3.)我们没有配置IAM角色。 Do we need it? 我们需要吗?
I have no clue about this... It would be great if some one can guide/provide some useful links. 我对此一无所知...如果有人可以指导/提供一些有用的链接,那将是很好的。
Thanks in advance. 提前致谢。
2 个解决方案
解决方案1
1 2017-11-08 15:08:40
I assume each user has it's own folder in your S3 bucket. 我假设每个用户在S3存储桶中都有自己的文件夹。
1. I would process the folder and files on the back end and show each user only files they are supposed to see by using their user IDs. 1.我将在后端处理文件夹和文件,并使用用户ID仅向每个用户显示应该看到的文件。
Suppose your S3 bucket is named inventory, and my username is ABC123, there should be a folder like: s3://inventory/ABC123/ . 假设您的S3存储桶命名为“清单”,而我的用户名是ABC123,则应该有一个文件夹:s3:// inventory / ABC123 /。 or s3://inventory/(your customized user ids)/ 或s3://库存/(您的自定义用户ID)/
I would make the url to S3 bucket in my app based on user IDs. 我将根据用户ID在我的应用中将URL设置为S3存储桶。
and when you show the files to your users, the url in the browser must be changed so they cannot see the real path to the file. 当您向用户显示文件时,必须更改浏览器中的url,以使他们看不到文件的真实路径。
2. 2。
- If you need to have access to the previous version of the files you can activate Versioning. 如果需要访问文件的先前版本,则可以激活版本控制。
- logs for access requests. 记录访问请求。
- File encryption 文件加密
- Tags if you are concerned about the cost 标签,如果您担心成本
3. (If you mean IAM roles for your users), If you handle access to your S3 bucket by your app, you don't need it. 3.(如果您是为用户指的是IAM角色),如果您处理应用程序对S3存储桶的访问,则不需要它。
解决方案2
0 已采纳 2017-11-14 05:50:05
Finally, I got the answer. 最后,我得到了答案。
Answer of First Question: What @Cyrus has mentioned in his answer is absolutely correct. 第一个问题的答案:@Cyrus在他的答案中提到的内容是绝对正确的。 Addition to that answer I want to add few more points in it. 除了该答案,我想在其中添加更多点。
as he has rightly mentioned... 正如他正确地提到的...
when you show the files to your users, the url in the browser must be changed so they cannot see the real path to the file.
which gives me hint about CDN(Content Delivery Network) server . 这给了我有关CDN(内容交付网络)服务器的提示 。
Finally, we would go for CDN-S3 combination . 最后,我们将选择CDN-S3组合 。
It means Client would only exposed to CDN url(s). 这意味着客户将只暴露于CDN网址。 (Not S3 url(s)) And those would be Pre signed URL (Secure as well as temporary url.) (不是S3网址),这些将是预签名的网址 (安全和临时网址)。
One can read more about from here: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html 您可以从此处了解更多信息: http : //docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html
Answer of (2) and (3): as @Cyrus mentioned. (2)和(3)的答案:如@Cyrus所述。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.