How to disable access to an Amazon S3 endpoint access point

You mentioned your main SEO concern. You can use other methods for this purpose, which are probably easier to implement than the one you originally asked about.

One of the main techniques for handling duplicate content is to use rel=canonical

, which is probably fairly easy to implement. For more information see http://googlewebmastercentral.blogspot.com.br/2013/04/5-common-mistakes-with-relcanonical.html

If you insist on the need to disable bucket access if the client is not connecting through your CNAME, your best bet is to use CloudFront. You will disable the S3 website hosting option in your bucket, make your S3 slave a bucket (i.e. remove bucket policies or ACLs to allow public read), create a CloudFront distribution, define your bucket as a source, set up CNAME in your distribution. change your DNS records to point to your distribution instead of a bucket, create an Identity Access Identity (OAI) in your distribution, and give your bucket access to that OAI. Uf.

This way the user doesn't have access to the contents of your S3 bucket (unless they have AK / SK with read bucket permissions and explicitly send a signed request). The only way is through your domain.

For details on Identity Identity Access see http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html