我的S3存储桶中的项目可公开访问。 如何限制访问权限,以便只能从我的应用程序内访问S3存储桶链接?
[英]Items in my S3 bucket are publicly accessible. How do I restrict access so that the S3 Bucket link is only accessible from within my app?
问题描述
I have an S3 bucket that contains items. 
我有一个包含物品的S3存储桶。 These are accessible by anyone at the moment with a link. 现在,任何人都可以通过链接访问这些文件。 The link includes a UUID so the chances of someone actually accessing it are very low. 该链接包含一个UUID,因此某人实际访问它的机会非常低。 Nonetheless, with GDPR around the corner, I'm anxious to get it tied down. 尽管如此,由于GDPR即将来临,我急于将其束缚住。
I'm not really sure what to google to find an answer, and having searched around I'm not closer to my answer. 我不太确定要用什么Google来找到答案,而且经过搜索后,我离答案还很近。 I wondered if someone else had a solution to this problem? 我想知道其他人是否可以解决这个问题? I'd like to only be able to access the resources if I'm clicking on the link from within my app. 我只想在我的应用程序内单击链接时才能访问资源。
2 个解决方案
解决方案1
1 2018-05-21 16:50:04
According to the S3 documentation , you should be able to restrict access to S3 objects to certain HTTP referrers, with an explicit deny to block access to anyone outside of your app: 根据S3文档 ,您应该能够将对S3对象的访问限制为某些HTTP引荐来源网址,并明确deny阻止对您应用之外的任何人的访问:
{
"Version": "2012-10-17",
"Id": "http referer policy example",
"Statement": [
{
"Sid": "Allow get requests referred by www.example.com and example.com.",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::examplebucket/*",
"Condition": {
"StringLike": {"aws:Referer": ["http://www.example.com/*","http://example.com/*"]}
}
},
{
"Sid": "Explicit deny to ensure requests are allowed only from specific referer.",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::examplebucket/*",
"Condition": {
"StringNotLike": {"aws:Referer": ["http://www.example.com/*","http://example.com/*"]}
}
}
]
}
The prerequisite for using this setup would be to build an S3 link wrapper service and hosting it at some site for your app. 使用此设置的先决条件是构建S3链接包装器服务并将其托管在您的应用程序的某个站点上。
解决方案2
1 2018-05-21 23:11:19
This is a standard use-case for using a Pre-signed URL . 这是使用Pre-signed URL的标准用例。
Basically, when your application generates the HTML page that contains a link, it generates a special URL that includes an expiry time. 基本上,当您的应用程序生成包含链接的HTML页面时,它会生成一个包含到期时间的特殊URL。 It then inserts that URL in the HTML link code (eg for an image, you would use: <img src='[PRE-SIGNED URL]'/> 然后,它将该URL插入HTML链接代码中(例如,对于图像,您将使用: <img src='[PRE-SIGNED URL]'/>
The code to generate the pre-signed URL is quite simple (and is provided in most SDKs). 生成预签名URL的代码非常简单(大多数SDK中都提供了该代码)。
Keep your Amazon S3 bucket as private so that other people cannot access the content. 将您的Amazon S3存储桶保持私有状态,以便其他人无法访问内容。 Then, anyone with a valid pre-signed URL will get the content. 然后,具有有效预签名URL的任何人都将获得内容。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.