简体繁体 English

Amazon S3实施访问控制

[英]Amazon S3 enforcing access control

原文 2010-05-10 22:14:15 3 2 php/ ruby-on-rails/ amazon-s3

I have several PDF files stored in Amazon S3. 我在Amazon S3中存储了几个PDF文件。 Each file is associated with a user and only the file owner can access the file. 每个文件都与用户相关联，只有文件所有者才能访问该文件。 I have enforced this in my download page. 我在下载页面中强制执行此操作。 But the actual PDF link points to Amazon S3 url, which is accessible to anybody. 但实际的PDF链接指向Amazon S3网址，任何人都可以访问。

How do I enforce the access-control rules for this url?(without making my server a proxy for all the PDF download links) 如何为此网址强制执行访问控制规则？（不使我的服务器成为所有PDF下载链接的代理）

2 个解决方案

I would suggest using Amazon S3's authenticated REST URLs with an expiration date. 我建议使用具有过期日期的Amazon S3经过身份验证的REST URL 。 They allow temporary, expiring access to a non-public S3 object. 它们允许对非公共S3对象进行临时，过期访问。

That said, if they're going to share the URL, what's stopping them from sharing the file itself? 也就是说，如果他们要共享URL，那么阻止他们共享文件的原因是什么？

Each file on your S3 account can have special access rights (ACL). S3帐户上的每个文件都可以具有特殊访问权限（ACL）。 You should set all your PDFs ACL to private . 您应该将所有PDF ACL设置为private 。 Then nobody will be able to access them. 然后没人能够访问它们。

S3 has an API which allows you to "temporarily" grant read-access. S3有一个API，允许您“临时”授予读访问权限。 For example Amazon's S3 PHP Library has a getAuthenticatedURL (string $bucket, string $uri, integer $lifetime, [boolean $hostBucket = false], [boolean $https = false]) function. 例如，亚马逊的S3 PHP库有一个getAuthenticatedURL (string $bucket, string $uri, integer $lifetime, [boolean $hostBucket = false], [boolean $https = false])函数。

This will enable you to allow access to a PDF for a defined amount of time (like 5 minutes) - which is more than enough if you immediatly redirect the user to S3. 这将使您能够在规定的时间内（例如5分钟）访问PDF - 如果您立即将用户重定向到S3，这就足够了。