我的视频blog地址 http://www.lofter.com/blog/cloudrivers

S3 授权

限制对特定 HTTP 引用站点的访问

"Id":"http referer policy example",
"Sid":"Allow get requests originating from www.example.com and example.com.",

添加存储桶策略以请求 MFA

"Version": "2012-10-17",
"Id": "123",
"Statement": [
"Sid": "",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::examplebucket/taxdocuments/*",
"Condition": { "Null": { "aws:MultiFactorAuthAge": true }}


向 Amazon CloudFront Origin Identity 授予权限

"Sid":" Grant a CloudFront Origin Identity access to support private content",
"Principal":{"CanonicalUser":"CloudFront Origin Identity Canonical User ID"},

您可以选择使用数值条件限制 aws:MultiFactorAuthAge 密钥的有效期,该期限独立于对请求进行身份验证时使用的临时安全凭证的生存期。例如,除了要求 MFA 身份验证外,下面的存储桶策略还会查看临时会话是在多久以前创建的。如果 aws:MultiFactorAuthAge 键值指示临时会话是在一个小时 (3600 秒) 之前创建的,则策略将拒绝任何操作。

"Version": "2012-10-17",
"Id": "123",
"Statement": [
"Sid": "",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::examplebucket/taxdocuments/*",
"Condition": {"Null": {"aws:MultiFactorAuthAge": true }}
"Sid": "",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::examplebucket/taxdocuments/*",
"Condition": {"NumericGreaterThan": {"aws:MultiFactorAuthAge": 3600 }}
"Sid": "",
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::examplebucket/*"

posted @ 2019-08-28 10:33  Michael云擎  阅读(387)  评论(0编辑  收藏  举报
我的视频blog地址 http://www.lofter.com/blog/cloudrivers