问题
On Amazon S3, you can restrict access to buckets by domain.
But as far as I understand from a helpful StackOverflow user, you cannot do this on CloudFront. But why? If I am correct, CloudFront only allows time-based restrictions or IP restrictions (--> so I need to know the IP's of random visitors..?) Or am I missing something?
Here is a quote from S3 documentation that suggests that per-domain restriction is possible:
---> " To allow read access to these objects from your website, you can add a bucket policy that allows s3:GetObject permission with a condition, using the aws:referer key, that the get request must originate from specific webpages. "
--> Is there a way to make this method work on CloudFront as well? Or why something like this is not available on CloudFront?
--> Is there a similar service where this is possible, easier to setup?
回答1:
Using CloudFront along with WAF (Web Application Firewall), you can restrict requests based on IP address, referrers, or domains.
Here is a AWS blog tutorial on restricting "hotlinking".
https://blogs.aws.amazon.com/security/post/Tx2CSKIBS7EP1I5/How-to-Prevent-Hotlinking-by-Using-AWS-WAF-Amazon-CloudFront-and-Referer-Checkin
In this example, it prohibits requests where the Referrer: header does not match a specific domain.
来源:https://stackoverflow.com/questions/38718572/amazon-cloudfront-vs-s3-restrict-access-by-domain