创建允许访问Cloudfront但限制对其他任何人的访问的S3存储桶策略
Sno*_*man 18 amazon-s3 amazon-cloudfront
我有以下政策:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "Stmt1395852960432",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::my-bucket/*",
"Principal": {
"AWS": [
"*"
]
}
},
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1IYJC432545JN"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
但是,这会拒绝来自所有请求者的请求,甚至是Cloudfront.这样做的正确方法是什么?
问题是客户端使用公共读取创建对象.我目前没有立即控制客户端来更改此设置.所以我想要的是拥有一个覆盖单个对象ACL的策略.所以默认否认这里不起作用.
Son*_*van 21
S3策略看起来像这样:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::YYYYYYYYYYYYY.com/*"
}
]
}
但是,我没有手动生成这个.在cloudfront中添加原点(S3)时,您可以选择"限制存储桶访问" - 在此处显示"是"并继续前进.Cloudfront配置将自动为您完成剩下的工作.
详细信息:使用Origin访问标识限制对Amazon S3内容的访问 - Amazon CloudFront.
- 我遇到过同样的问题。AWS手册页很难读。对我而言,添加身份后,我错过了“来源”标签和“是,更新存储桶策略”。 (3认同)
Pan*_*iou 10
这就是你要找的东西.将XXXXXXXXXXXXXX替换为您的原始访问ID
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AddPerm",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your.bucket.com/*"
},
{
"Sid": "2",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::your.bucket.com/*"
}
]
}
- 将策略添加到 S3 存储桶后,通过 CloudFront 域访问我的 S3 存储桶时,我的访问仍然被拒绝。 (3认同)
- 如果您仍然收到基于 XML 的 AccessDenied 错误,请确保在 CloudFront 分配中的“常规”选项卡下指定您的默认根对象。 (2认同)
对于难以找到 OAI 的人来说,这可能是一个简单的解决方法(来源: 亚马逊)
\n- \n
- 配置您的存储桶,如下所示:\n
- \n
- 阻止公共访问:关闭 \n
- 存储桶策略:\xe2\x86\x93 \n
\n
{\n "Version": "2012-10-17",\n "Statement": [\n {\n "Sid": "PublicReadGetObject",\n "Effect": "Allow",\n "Principal": {\n "Service": "cloudfront.amazonaws.com"\n },\n "Action": "s3:GetObject",\n "Resource": "arn:aws:s3:::<YOUR_BUCKET_NAME>/*",\n "Condition": {\n "StringEquals": {\n "AWS:SourceArn": "arn:aws:cloudfront::<YOUR_AMAZON_ACCOUNT_ID>:distribution/<CLOUDFRONT_DISTRIBUTION_ID>"\n }\n }\n }\n ]\n}\n- \n
- 找到亚马逊账户 ID 应该没问题,因为它是您凭证的一部分 \n
- Cloutfront 发行版 ID 可以在所有云前端发行版的列表中找到:\n
\n
| 归档时间: |
|
| 查看次数: |
19773 次 |
| 最近记录: |