stackoom
  简体   繁体   中英

How do I restrict access of my S3 web site to specific domains or IP addresses?

 原文  2020-04-23 04:50:55       amazon-web-services/ amazon-s3

Question

I have a static web site hosted in an S3 bucket. With an SSL certificate on AWS, let's say the site is https://myawssite.com/somefolder/ . On some other page, say http://containerpage.com , I have an iframe in which I put

<iframe src="https://myawssite.com/somefolder?url=/content/x83822" frameborder="0" allowfullscreen></iframe>

I want to allow the content to show only when the reference to myawssite.com is on http://containerpage.com , but I don't want to allow the viewing of the content if anyone just puts https://myawssite.com/somefolder?url=/content/x8382 into a browser, or puts the iframe into their own web page (on a web site not at myawssite.com ).

Assuming containerpage.com is at IP address 5.33.253.12, I thought I could do it with an s3 bucket policy like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject*",
            "Resource": "arn:aws:s3:::mybucketname/*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceIp": "5.33.253.12/32"
                }
            }
        }
    ]
}

This is not working. Ideally I would like to specify the permitted domain ( containerpage.com ), instead of the IP address, but I can't even get the IP address to work.

Can anyone spot what I am doing wrong, or if the whole approach is not correct?

Thanks in advance for any suggestions!

2 answers

solution1
 1  2020-04-23 06:17:15

You are giving the ip address which will refer to http://containerpage.com/* .

and as @marcin commented you should use aws:refer .

policy should be this like:

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject*",
            "Resource": "arn:aws:s3:::mybucketname/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": "http://containerpage.com"
                }
            }
        }
    ]
}

See docs

solution2
 1 ACCPTED  2020-04-23 08:46:44

Restricting access based upon Referer is not secure. It can be easily circumvented. A simple web search reveals many methods to fake the referer field.

For a more secure method, see this StackOverflow answer: My S3 Bucket Policy only applies to some Objects

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Why my AWS S3 policy will not restrict access for only certain IP addresses? How do I restrict S3 + Cloudfront staging server to specific IP? How can I restrict IP addresses dynamically and release them after 24hrs for AWS s3? How do I restrict access to a static s3 website to a VPN Using serverless deployment, how do I restrict access to one AWS Lambda to a subset of IP addresses Items in my S3 bucket are publicly accessible. How do I restrict access so that the S3 Bucket link is only accessible from within my app? How to restrict access to an AWS S3 bucket only to a specific role? Restrict s3 bucket access to specific regions How do I point a root domain to a CloudFront distribution serving up S3 static site? I'm on Google Domains How do I set up the Access Point Policy to allow my web server to access objects in S3 Bucket:
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM