问题
In my S3 logs I see multiple requests from NSPlayer and all the requests are like below:
[29/Feb/2016:23:07:27 +0000] 188.71.221.62 - 07231C9924A44C67 REST.GET.OBJECT 16639/tracks/7ed00e05502aeb383d8a1abde2.mp3
"GET /bucket/16639/tracks/7ed00e05502aeb383d8a1abde2.mp3 HTTP/1.1" 200 - 4122705 5639543 6305 58
"http://m.xxxxxxw.com /" "NSPlayer/12.00.9651.0000 WMFSDK/12.00.9651.0000" -
I want to deny access to this useragent and I have written the bucket policy as well as the user policy to deny the access. However, still the access is not getting denied. Could you please help me to figure out why its happening?
Here is the bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmtxxxxxxxxx0",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxx3:user/bucket"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*",
"Condition": {
"StringNotLike": {
"aws:UserAgent": "NSPlayer"
}
}
}
]
}
Please let me know how to fix this!
回答1:
This is the reply I got from Amazon:
You almost have the correct policy on the bucket to block access from that user agent. The tricky part is that you're allowing access to the individual objects via public-read ACLs, so you can't use an restrictive "Allow" statement on the bucket. You'll need to explicitly deny that user agent from performing GET requests.
Example:
{ "Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*",
"Condition":
{ "StringLike": { "aws:UserAgent": "*NSPlayer*" } }
}]
}
The above policy will block any access to the bucket from anywhere, if NSPlayer is in the UserAgent string.
Also as FYI, Bucket Policy takes precedence over the User policy.
来源:https://stackoverflow.com/questions/35739337/deny-access-to-user-agent-to-access-a-bucket-in-aws-s3