Visionscaper
Reputation: 4129
Amazon S3 : How to allow access to a specific path, only for a specific referer?
I have a Amazon S3 bucket mybucket and only want to enable access to content in a specific nested folder (or in S3 terms, with a specific "prefix").
I tried the following S3 bucket policy but it doesn't work. After adding the condition I started getting access denied errors in the browser.
{
"Version": "2012-10-17",
"Id": "Policy for mybucket",
"Statement": [
{
"Sid": "Allow access to public content only from my.domain.com",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/public/content/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://my.domain.com/*"
]
}
}
}
]
}
What should the policy look like to achieve this?
Upvotes: 1
Views: 2202
Answers (1)
Visionscaper
Reputation: 4129
You need to split the policy in to two statements. One to allow access to the folder (prefix), and one to deny access when the referer is not one of the white listed domains:
{
"Version": "2012-10-17",
"Id": "Policy for mybucket",
"Statement": [
{
"Sid": "Allow access to public content",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/public/content/*"
},
{
"Sid": "Deny access to public content when not on my.domain.com",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/public/content/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"http://my.domain.com/*"
]
}
}
}
]
}
Upvotes: 1
Related Questions
- getting "The bucket does not allow ACLs" Error
- How to Give Amazon SES Permission to Write to Your Amazon S3 Bucket
- Amazon S3 bucket policy allow access to ONLY specific http
- URL for public Amazon S3 bucket
- s3 Policy has invalid action - s3:ListAllMyBuckets
- Restrict access to S3 static website that uses API Gateway as a proxy
- How can I recover from Access Denied Error on AWS S3?
- AWS S3 Bucket Policy - Allow GetObject only within a prefix
- s3 bucket policy chrome bug