CODEWITHSUNDEEP
amazon-web-servicesamazon-s3
user150812
user150812

Reputation: 99

How do I restrict access of my S3 web site to specific domains or IP addresses?

I have a static web site hosted in an S3 bucket. With an SSL certificate on AWS, let's say the site is https://myawssite.com/somefolder/. On some other page, say http://containerpage.com, I have an iframe in which I put

<iframe src="https://myawssite.com/somefolder?url=/content/x83822" frameborder="0" allowfullscreen></iframe>

I want to allow the content to show only when the reference to myawssite.com is on http://containerpage.com, but I don't want to allow the viewing of the content if anyone just puts https://myawssite.com/somefolder?url=/content/x8382 into a browser, or puts the iframe into their own web page (on a web site not at myawssite.com).

Assuming containerpage.com is at IP address 5.33.253.12, I thought I could do it with an s3 bucket policy like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject*",
            "Resource": "arn:aws:s3:::mybucketname/*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceIp": "5.33.253.12/32"
                }
            }
        }
    ]
}

This is not working. Ideally I would like to specify the permitted domain (containerpage.com), instead of the IP address, but I can't even get the IP address to work.

Can anyone spot what I am doing wrong, or if the whole approach is not correct?

Thanks in advance for any suggestions!

Upvotes: 0

Views: 1407

Answers (2)

John Rotenstein
John Rotenstein

Reputation: 269101

Restricting access based upon Referer is not secure. It can be easily circumvented. A simple web search reveals many methods to fake the referer field.

For a more secure method, see this StackOverflow answer: My S3 Bucket Policy only applies to some Objects

Upvotes: 1

programming_noob
programming_noob

Reputation: 23

You are giving the ip address which will refer to http://containerpage.com/*.

and as @marcin commented you should use aws:refer.

policy should be this like:

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject*",
            "Resource": "arn:aws:s3:::mybucketname/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": "http://containerpage.com"
                }
            }
        }
    ]
}

See docs

Upvotes: 1

Related Questions