Clever Geek Handbook

Amazon S3 Bucket Policy Referer

I am trying to edit my S3 config so that third party sites cannot link to content in it. Also, the added benefit is that they can only access content from my domain and not the additional s3bucket.amazon-east.amazonaws.com or something.

There is an example in the documentation for exactly this, but when I copy / paste / modify my site below it doesn't work? I am still getting 403 errors. When I take out only the conditional section, it provides full access, so there is only a problem in the abstract section.

It's such a short piece of code that I'm banging my head against the wall ... hoping that a second set of eyes can enlighten me on something that is probably obvious I'm missing?

Otherwise, maybe there is nothing wrong with that, and there may be additional configurations elsewhere that I have not asked / considered?

Thanks for reading.

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "fml",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::www.mysite.com/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "http://mysite.com/*",
                        "http://www.mysite.com/*"
                    ]
                }
            }
        }
    ]
}
+3


source to share


2 answers


Do you have logging for your bucket?

If you do, you can check the logs to verify that the referrer is logging along with these 403 access denied messages and that it is expecting you. If it is not, the problem is not with the bucket configuration - it is a question of why the browser is not being sent by the browser.

If you don't have a login, enable logging.



Also an added benefit is that they can only access content from my domain and not the additional s3bucket.amazon-east.amazonaws.com or something like that.

What makes you think this is true?

0


source


It's important to note that if your referent includes / * at the end, it will only allow content from that referent's children, not from the referent itself.

So, if you want to include your main domain, then you will need to do it like this:



                "aws:Referer": [
                    "http://example.com",
                    "http://example.com/*",
                    "http://www.example.com",
                    "http://www.example.com/*"
                ]
0


source






More articles:


All Articles