S3 will block public access permissions applied to newly added buckets or objects, and prevent the creation of new public access ACLs for existing buckets and objects. This setting doesn’t change any existing permissions that allow public access to S3 resources using ACLs.
套用本規則後,就會禁止增添白名單,而原有的 ACLs 規則可以繼續沿用
S3 will ignore all ACLs that grant public access to buckets and objects.
封殺所有公開請求,包含白名單也封殺
S3 will block new bucket and access point policies that grant public access to buckets and objects. This setting doesn't change any existing policies that allow public access to S3 resources.
套用本規則後,就會禁止從 Bucket / AP Policies 增添新的 Public Access,而原有的規則可以繼續沿用
S3 will ignore public and cross-account access for buckets or access points with policies that grant public access to buckets and objects.
aws s3api list-buckets --query Owner.ID --output text
[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"GET",
"HEAD",
"PUT",
"POST",
"DELETE"
],
"AllowedOrigins": [
"*"
],
"ExposeHeaders": [
"x-amz-server-side-encryption",
"x-amz-request-id",
"x-amz-id-2",
"ETag"
],
"MaxAgeSeconds": 3000
}
]
https://hackmd.io/
而圖床使用的網址是 S3 綁 CloudFront (CDN) 提供別人透過網址(如:https://hackmd.io/_uploads/xxxxx
)請求拿回圖片,這時可以在 CORS 中設定哪些 HTTP Method 是允許,哪些是被禁止的。於是他們限定了只有同為 hackmd.io 的來源請求是被允許,以避免被以外的網址用來當作圖床徒增資料傳輸。