堆栈内存溢出
  简体   繁体   English

如何使用s3存储桶URL安全访问应用程序中的文件

[英]How to securely access a file in the application using s3 bucket URL

 原文  2018-04-05 16:12:32       amazon-web-services/ amazon-s3

问题描述

In my application we have to open some pdf files in a new tab on click of an icon using the direct s3 bucket url like this: 在我的应用程序中,我们必须使用直接s3存储桶url在图标单击时在新选项卡中打开一些pdf文件,如下所示: 

http://MyBucket.s3.amazonaws.com/Certificates/1.pdf?AWSAccessKeyId=XXXXXXXXXXXXX&Expires=1522947975&Signature=XXXXXXXXXXXXXXXXX

Some how i feel this is not secure as the user could see the bucket name, AWSAccessKeyId , Expiration and Signature . 我觉得这有些不安全,因为用户可以看到存储桶名称, AWSAccessKeyIdExpirationSignature Is this still considered secure ? 这仍然被认为是安全的吗? Or is there a better way to handle this ? 还是有更好的方法来解决这个问题?

2 个解决方案

解决方案1
 2 已采纳  2018-04-05 19:32:17

Allowing the user to see these parameters is not a problem because; 允许用户看到这些参数不是问题,因为;

  1. AWSAccessKeyId can be public (do not confuse with SecretAccessKey ) AWSAccessKeyId可以是公共的(不要与SecretAccessKey混淆)
  2. Expires and signature is signed with your SecretAccessKey so no one will be able to manipulate it (aws will validate it against you SecretKey) 到期并使用您的SecretAccessKey签名,因此没人能操纵它(aws会针对您的SecretKey对其进行验证)
  3. Since you don't have public objects and your bucket itself is not public, then it is ok to the user knowing your bucket name - you will always need a valid signature to access the objects. 由于您没有公共对象,而且存储桶本身也不是公共的,因此知道用户存储桶名称的用户可以使用它-您将始终需要有效的签名来访问这些对象。

But I have two suggestions for you; 但是我有两个建议给你; 1. Use your own domain, so the bucket is not visible (you can use free SSL provided by AWS if you use CloudFornt), 2. Use HTTPS instead of plain HTTP. 1.使用您自己的域,因此看不到存储桶(如果使用CloudFornt,则可以使用AWS提供的免费SSL),2.使用HTTPS而不是纯HTTP。

And if for any reason you absolutely dont want your users to see AWS parameters, then I suggest that you proxy the access to S3 via your own API. 并且,如果出于任何原因您绝对不希望用户看到AWS参数,那么我建议您通过自己的API代理对S3的访问。 (though I consider it unnecessary) (尽管我认为这是不必要的)

解决方案2
 1  2018-04-05 19:22:56

I see you access with http (with no SSL). 我看到您使用http访问(没有SSL)。 You can do virtual hosting with S3 for multiple domains. 您可以使用S3对多个域进行虚拟托管。

https://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html https://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html

and create signed url based on your domain and you are good to go. 并根据您的域创建签名的URL,您一切顺利。

If you are using SSL, you can use Cloudfront 如果使用SSL,则可以使用Cloudfront

and configure cloudfront origin to point to your S3 bucket. 并将Cloudfront原点配置为指向您的S3存储桶。

Hope it helps. 希望能帮助到你。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用boto3从url访问S3存储桶? - How to access S3 bucket from url using boto3? 如何使用python访问S3存储桶中的新添加文件 - How to access newly added file in S3 bucket using python 如何通过简单URL访问Amazon S3专用存储桶中的文件? - How do I access a file in Amazon S3 private bucket through simple URL? 如何使用Cloudformation将代码从aws s3存储桶安全地提取到Codecommit存储库? - How to securely pull code from an aws s3 bucket to a Codecommit repository using Cloudformation? 如何访问Cloudfront到s3存储桶对象简单url - how to access cloudfront to s3 bucket object simple url 使用 VPC 终端节点 URL 上传 Amazon S3 存储桶中的文件 - Uploading a file in an Amazon S3 bucket using the VPC endpoint URL 想要使用预先签名的 url 将文件上传到 s3 存储桶 - Want to upload file to s3 bucket using presigned url PHP AWS S3 sdk:如何生成预签名的URL以使用PHP将文件上传到S3存储桶中的文件夹? - PHP AWS S3 sdk: How to generate pre signed url to upload a file to a folder in the S3 bucket using PHP? 如何创建预签名 URL 以使用 Boto3 从 S3 存储桶下载文件? - How do I create a Presigned URL to download a file from an S3 Bucket using Boto3? 如何使用其 URL 从私有 S3 存储桶下载文件? - How to download a file from private S3 bucket using its URL?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM