僅當從某些域發出請求時限制對AWS S3存儲桶對象的訪問

Question

我已經創建了一個存儲桶策略來嘗試停止從獲取直接URL的人鏈接到我的S3文件。我只希望我的網站能夠訪問這些文件。但是，當我直接鏈接到下面的策略時，它仍然允許訪問該文件。這些文件都設置爲公開。

{ 
    "Id": "Policy1491040992219", 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
      "Sid": "Stmt149104", 
      "Action": [ 
       "s3:GetObject" 
      ], 
      "Effect": "Allow", 
      "Resource": "arn:aws:s3:::bucketname/*", 
      "Condition": { 
       "StringLike": { 
        "aws:Referer": "https://mywebsite.com/*" 
       } 
      }, 
      "Principal": "*" 
     }, 
     { 
      "Sid": "Stmt14910403436760", 
      "Action": [ 
       "s3:GetObject" 
      ], 
      "Effect": "Allow", 
      "Resource": "arn:aws:s3:::bucketname/*", 
      "Condition": { 
       "StringLike": { 
        "aws:Referer": "http://localhost:8888/*" 
       } 
      }, 
      "Principal": "*" 
     } 
    ] 
} 

我是否需要更改實際S3存儲桶設置的任何設置以停止所有訪問？

謝謝！

Answer 1

您錯過了Deny聲明。試試這個政策：

{ 
    "Version": "2008-10-17", 
    "Id": "Policy1491040992219", 
    "Statement": [ 
     { 
      "Sid": "Stmt149104", 
      "Effect": "Allow", 
      "Principal": { 
       "AWS": "*" 
      }, 
      "Action": "s3:GetObject", 
      "Resource": "arn:aws:s3:::bucketname/*", 
      "Condition": { 
       "StringLike": { 
        "aws:Referer": [ 
         "https://mywebsite.com/*", 
         "http://localhost:8888/*" 
        ] 
       } 
      } 
     }, 
     { 
      "Sid": "Stmt149104", 
      "Effect": "Deny", 
      "Principal": { 
       "AWS": "*" 
      }, 
      "Action": "s3:GetObject", 
      "Resource": "arn:aws:s3:::bucketname/*", 
      "Condition": { 
       "StringNotLike": { 
        "aws:Referer": [ 
         "https://mywebsite.com/*", 
         "http://localhost:8888/*" 
        ] 
       } 
      } 
     } 
    ] 
}