Cloudfront - 查詢字符串中的項目觸發 403 Forbidden from S3 origin on the same resource

Question

我一直在調試 Cloudfront 的一個問題，其中特別在我的請求 URL 的查詢字符串中包含術語“通知”從 S3 返回 403。 以下兩個示例展示了這種行為：

https://my.website.com/app/home?notification=THING - 403 Forbidden由 S3 返回

https://my.website.com/app/home?notificatio=THING - 304 Not Modified ，我可以毫無問題地訪問資源

在我的測試范圍內，查詢字符串中明確不包含字符串“通知”的任何內容都有效。 只是這個詞特別有問題。

需要注意的一些事項...

• 對源行為的查詢字符串轉發和緩存設置為“全部轉發，基於全部緩存”
• 我有一個 Lambda function 觸發origin-request ， origin-response和viewer-response事件； 此 function 在轉發到源之前將/index.html附加到請求 URI。
• 兩個請求都使用相同的 Origin Access Identity，我可以驗證它對 S3 具有足夠的權限——第二個示例按預期工作證明了這一點。

據我了解，S3 不關注轉發的查詢字符串，但是從上面兩個示例中提取請求/響應數據清楚地顯示了行為上的差異，盡管唯一的變量是查詢字符串的內容（我可以告訴反正！）

請求失敗：

{
    "config": {
        "distributionDomainName": "<redacted>.cloudfront.net",
        "distributionId": "<redacted>",
        "eventType": "origin-response",
        "requestId": "<redacted>"
    },
    "request": {
        "clientIp": "<redacted>",
        "headers": {
            "x-forwarded-for": [
                {
                    "key": "X-Forwarded-For",
                    "value": "<redacted>"
                }
            ],
            "user-agent": [
                {
                    "key": "User-Agent",
                    "value": "Amazon CloudFront"
                }
            ],
            "via": [
                {
                    "key": "Via",
                    "value": "1.1 <redacted>.cloudfront.net (CloudFront)"
                }
            ],
            "host": [
                {
                    "key": "Host",
                    "value": "<redacted>.s3.eu-west-1.amazonaws.com"
                }
            ]
        },
        "method": "GET",
        "origin": {
            "s3": {
                "authMethod": "origin-access-identity",
                "customHeaders": {},
                "domainName": "<redacted>.s3.eu-west-1.amazonaws.com",
                "path": "",
                "region": "eu-west-1"
            }
        },
        "querystring": "notification=THING",
        "uri": "/app/home/index.html"
    },
    "response": {
        "headers": {
            "x-amz-request-id": [
                {
                    "key": "x-amz-request-id",
                    "value": "<redacted>"
                }
            ],
            "x-amz-id-2": [
                {
                    "key": "x-amz-id-2",
                    "value": "<redacted>"
                }
            ],
            "date": [
                {
                    "key": "Date",
                    "value": "Tue, 15 Dec 2020 17:15:11 GMT"
                }
            ],
            "server": [
                {
                    "key": "Server",
                    "value": "AmazonS3"
                }
            ],
            "content-type": [
                {
                    "key": "Content-Type",
                    "value": "application/xml"
                }
            ],
            "transfer-encoding": [
                {
                    "key": "Transfer-Encoding",
                    "value": "chunked"
                }
            ]
        },
        "status": "403",
        "statusDescription": "Forbidden"
    }
}

在職的：

{
    "config": {
        "distributionDomainName": "<redacted>.cloudfront.net",
        "distributionId": "<redacted>",
        "eventType": "origin-response",
        "requestId": "<redacted>"
    },
    "request": {
        "clientIp": "<redacted>",
        "headers": {
            "if-modified-since": [
                {
                    "key": "If-Modified-Since",
                    "value": "<redacted>"
                }
            ],
            "if-none-match": [
                {
                    "key": "If-None-Match",
                    "value": "<redacted>"
                }
            ],
            "x-forwarded-for": [
                {
                    "key": "X-Forwarded-For",
                    "value": "<redacted>"
                }
            ],
            "user-agent": [
                {
                    "key": "User-Agent",
                    "value": "Amazon CloudFront"
                }
            ],
            "via": [
                {
                    "key": "Via",
                    "value": "1.1 <redacted>.cloudfront.net (CloudFront)"
                }
            ],
            "host": [
                {
                    "key": "Host",
                    "value": "<redacted>.s3.eu-west-1.amazonaws.com"
                }
            ]
        },
        "method": "GET",
        "origin": {
            "s3": {
                "authMethod": "origin-access-identity",
                "customHeaders": {},
                "domainName": "<redacted>.s3.eu-west-1.amazonaws.com",
                "path": "",
                "region": "eu-west-1"
            }
        },
        "querystring": "notificatio=THING",
        "uri": "/app/home/index.html"
    },
    "response": {
        "headers": {
            "x-amz-id-2": [
                {
                    "key": "x-amz-id-2",
                    "value": "<redacted>"
                }
            ],
            "x-amz-request-id": [
                {
                    "key": "x-amz-request-id",
                    "value": "<redacted>"
                }
            ],
            "date": [
                {
                    "key": "Date",
                    "value": "Tue, 15 Dec 2020 17:17:29 GMT"
                }
            ],
            "last-modified": [
                {
                    "key": "Last-Modified",
                    "value": "Thu, 03 Dec 2020 09:14:18 GMT"
                }
            ],
            "etag": [
                {
                    "key": "ETag",
                    "value": "<redacted>"
                }
            ],
            "cache-control": [
                {
                    "key": "Cache-Control",
                    "value": "no-cache"
                }
            ],
            "server": [
                {
                    "key": "Server",
                    "value": "AmazonS3"
                }
            ]
        },
        "status": "304",
        "statusDescription": "Not Modified"
    }
}

Answer 1

恢復這個是因為我發現用谷歌搜索這個問題非常困難。 首先，我將其縮小到 S3 方面的問題。 我的查詢字符串中的“位置”也有類似的問題。 顯然這兩個都被 S3 API 解釋： https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingBucket.html#bucket-config-options-intro

我聯系了支持人員，看看是否有辦法解決這個問題，我得到了這個：

“我能夠使用您提供的請求 ID 中的日志來確認這些查詢字符串被解釋為 API 調用。https://xxxx.s3.eu-west-1.amazonaws.com/index.ZFC35FDC?8A8222C70D5FC69D2698測試被解釋為 GetBucketLocation API 操作。通知查詢字符串將被解釋為 GetBucketNotificationConfiguration 操作。在這種情況下，您將無法使用這些查詢字符串參數，例如“位置”。在咨詢了一些同事后問題，我可以確認這是按設計設計的，無法更改。這里的建議是將查詢字符串更改為“loc”之類的內容，這樣您就不會向 S3 發送無意的 API 操作。”