堆栈内存溢出
  简体   繁体   English

如何将我的 S3 web 站点的访问限制为特定域或 IP 地址?

[英]How do I restrict access of my S3 web site to specific domains or IP addresses?

 原文  2020-04-23 04:50:55       amazon-web-services/ amazon-s3

问题描述

I have a static web site hosted in an S3 bucket.我有一个托管在 S3 存储桶中的 static web 站点。 With an SSL certificate on AWS, let's say the site is https://myawssite.com/somefolder/ .在 AWS 上使用 SSL 证书,假设该站点是https://myawssite.com/somefolder/ On some other page, say http://containerpage.com , I have an iframe in which I put在其他页面上,比如说http://containerpage.com ,我有一个 iframe 我把

<iframe src="https://myawssite.com/somefolder?url=/content/x83822" frameborder="0" allowfullscreen></iframe>

I want to allow the content to show only when the reference to myawssite.com is on http://containerpage.com , but I don't want to allow the viewing of the content if anyone just puts https://myawssite.com/somefolder?url=/content/x8382 into a browser, or puts the iframe into their own web page (on a web site not at myawssite.com ). I want to allow the content to show only when the reference to myawssite.com is on http://containerpage.com , but I don't want to allow the viewing of the content if anyone just puts https://myawssite.com/somefolder?url=/content/x8382 into a browser, or puts the iframe into their own web page (on a web site not at myawssite.com ).

Assuming containerpage.com is at IP address 5.33.253.12, I thought I could do it with an s3 bucket policy like this:假设containerpage.com位于 IP 地址 5.33.253.12,我想我可以使用这样的 s3 存储桶策略来做到这一点:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject*",
            "Resource": "arn:aws:s3:::mybucketname/*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceIp": "5.33.253.12/32"
                }
            }
        }
    ]
}

This is not working.这是行不通的。 Ideally I would like to specify the permitted domain ( containerpage.com ), instead of the IP address, but I can't even get the IP address to work.理想情况下,我想指定允许的域( containerpage.com ),而不是 IP 地址,但我什至无法让 IP 地址工作。

Can anyone spot what I am doing wrong, or if the whole approach is not correct?谁能发现我做错了什么,或者整个方法不正确?

Thanks in advance for any suggestions!在此先感谢您的任何建议!

2 个解决方案

解决方案1
 1  2020-04-23 06:17:15

You are giving the ip address which will refer to http://containerpage.com/* .您正在提供 ip 地址,该地址将引用http://containerpage.com/*

and as @marcin commented you should use aws:refer .正如@marcin 评论的那样,您应该使用aws:refer

policy should be this like:政策应该是这样的:

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject*",
            "Resource": "arn:aws:s3:::mybucketname/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": "http://containerpage.com"
                }
            }
        }
    ]
}

See docs查看文档

解决方案2
 1 已采纳  2020-04-23 08:46:44

Restricting access based upon Referer is not secure.基于Referer限制访问是不安全的。 It can be easily circumvented.它很容易被规避。 A simple web search reveals many methods to fake the referer field.一个简单的 web 搜索揭示了许多伪造referer字段的方法。

For a more secure method, see this StackOverflow answer: My S3 Bucket Policy only applies to some Objects有关更安全的方法,请参阅此 StackOverflow 答案:我的 S3 存储桶策略仅适用于某些对象

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 为什么我的 AWS S3 策略不会仅限制某些 IP 地址的访问? - Why my AWS S3 policy will not restrict access for only certain IP addresses? 如何将 S3 + Cloudfront 登台服务器限制为特定的 IP? - How do I restrict S3 + Cloudfront staging server to specific IP? 对于 AWS s3,如何动态限制 IP 地址并在 24 小时后释放它们? - How can I restrict IP addresses dynamically and release them after 24hrs for AWS s3? 如何将对静态s3网站的访问限制为VPN - How do I restrict access to a static s3 website to a VPN 使用无服务器部署,如何将对一个 AWS Lambda 的访问限制为 IP 地址的子集 - Using serverless deployment, how do I restrict access to one AWS Lambda to a subset of IP addresses 我的S3存储桶中的项目可公开访问。 如何限制访问权限,以便只能从我的应用程序内访问S3存储桶链接? - Items in my S3 bucket are publicly accessible. How do I restrict access so that the S3 Bucket link is only accessible from within my app? 如何将 AWS S3 存储桶的访问权限限制为特定角色? - How to restrict access to an AWS S3 bucket only to a specific role? 限制s3存储桶对特定区域的访问 - Restrict s3 bucket access to specific regions 如何将根域指向提供 S3 静态站点的 CloudFront 分配? 我在 Google Domains 上 - How do I point a root domain to a CloudFront distribution serving up S3 static site? I'm on Google Domains 如何设置访问点策略以允许我的 web 服务器访问 S3 存储桶中的对象: - How do I set up the Access Point Policy to allow my web server to access objects in S3 Bucket:
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM