Aws s3只读桶策略不使用cloudfront

时间:2016-02-18 10:58:45

标签: amazon-s3 amazon-cloudfront

我已经制定了S3广告管理系统政策,以便只访问cloudfront,我希望将s3广告资源限制为公开,只需通过cloudfront从引荐网址中获取它没有应用我的s3存储桶策略。

{
  "Version": "2012-10-17",
  "Id": "http referer",
  "Statement": [
 {
   "Sid": "Allow get requests referred by www.def.com and dev.def.com.",
   "Effect": "Allow",
   "Principal": {
            "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access   Identity XXXXXXXXXXX"
        },
   "Action": "s3:GetObject",
   "Resource": "arn:aws:s3:::devmb/*",
   "Condition": {
     "StringLike": {
     "aws:Referer": [
     "http://www.def.com/*",
     "http://dev.def.com/*"
       ]
     }
  }
},
    {
      "Sid": "Explicit deny to ensure requests are allowed only from specific referer.",
    "Effect": "Deny",
    "Principal": {
            "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXX"
        },
    "Action": "s3:*",
    "Resource": "arn:aws:s3:::devmb/*",
    "Condition": {
      "StringLike": {
      "aws:Referer": [
      "http://dev.xyx.com/*",
      "http://blog.xyz.com/*"
      ]
     }
    }
  }
 ]
}

我的内容现已公开。

1 个答案:

答案 0 :(得分:0)

Referer 在使用CloudFront时不起作用,因为referer未出现在HTTP请求标头本身中。如果您希望使用条件aws限制访问,则必须使用没有CloudFront的S3:存储桶策略中的Referer。

相关问题
最新问题