我正在尝试制定一个S3 bucket策略,该策略只允许从CloudFront获取GetObject,但可以将Object直接放入bucket。
尝试了几种组合,但都没有成功。这是我最近尝试的一次。
With, Block All Public Access: ALL OFF.
Bucket Policy:
{
"Version": "2012-10-17",
"Id": "Policy1604429581591",
"Statement": [
{
"Sid": "Stmt1605554261786",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::MYBUCKET/*"
},
{
"Sid": "Stmt1605557746418",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MYBUCKET/*"
},
{
"Sid": "Stmt1605557857544",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:MYCLOUDFRONT"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MYBUCKET/*"
}
]
}
这允许我将Object放入bucket,但使用CloudFront URL的GetObject访问被拒绝。如果我删除
{
"Sid": "Stmt1605557746418",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MYBUCKET/*"
}
我可以从CloudFront获取对象,也可以直接从bucket获取对象。
请帮忙!
找到了它的解决方案。
首先按照此处的说明设置CloudFront:https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-access-to-amazon-s3/.关键是
5. For Restrict Bucket Access, select Yes.
我使用Multer-S3上传我的图像文件。ACL需要设置为
acl: 'authenticated-read',
此外,我正在使用serverSideEncryption,在S3 bucket属性=>默认加密
Default encryption: Enabled
Server-side encryption: Amazon S3 master-key(SSE-S3)
Multer-S3配置
serverSideEncryption: 'AES256',
S3 Bucket权限取消阻止所有公共访问,ACL仅启用Bucket所有者的权限。我的最后一个bucket策略是:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E36AHAEXL422P3"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MYBUCKET/*"
},
{
"Sid": "Stmt1605745908405",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::MYBUCKET/*",
"Condition": {
"StringEqualsIfExists": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
}
]
}
使用以上所有配置,只要请求具有"AE256"的服务器端加密,就允许任何人使用PubObject。直接到bucket的GetObject请求将被阻止。所有GetObject请求都需要通过CloudFront。