- 최신
- 최다 투표
- 가장 많은 댓글
If you use TLS/HTTPS, then you could consider using the "Referer" header and reject requests that do not come from your S3 domain. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer
HTTPS headers are not a security feature, so your security team may still reject it.
Other options include using an identity on the site. AWS Cognito would work, but you could also implement a corporate SSO if you have one for external users.
As you say, the API request doesn't come from S3 - it comes from where the JavaScript is running which will be the user's browser. And because the user's browser is effectively the user themselves there's no practical way to stop the user (if they are technically aware enough) to dig through whatever security mechanism you put in place, find the appropriate keys/headers/whatever and call the API themselves.
As Rodney has said: If you have some sort of authentication that is integrated with your website and with API Gateway (perhaps using Cognito or a Lambda Authoriser) then only authenticated users will be able to call the API. That's still not perfect but it restricts access and also gives you the ability to see who is doing what with the API.
You might also consider using short-lived tokens (again, coupled with an authorizer on the API) but that still won't solve the underlying problem - that the user can still use those tokens for whatever the lifetime is; and they can renew them - because the website can do the same thing.
관련 콘텐츠
- AWS 공식업데이트됨 2년 전