How do I prevent hotlinking on Amazon S3 without using signed URLs?

Question

Is there any way I can prevent hotlinking on Amazon S3 without using signed URLs?

Answer 1

It's in their official docs

Change examplebucket to your bucket name, and example.com to your domain.

"Version":"2012-10-17",
"Id":"http referer policy example",
"Statement":[
  {
    "Sid":"Allow get requests originating from www.example.com and example.com.",
    "Effect":"Allow",
    "Principal":"*",
    "Action":"s3:GetObject",
    "Resource":"arn:aws:s3:::examplebucket/*",
    "Condition":{
      "StringLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}
    }
  }
]
}

Answer 2

You need a bucket policy that both allows referrers from your domain(s) and denies referrers who are not from your domains. I've found that images can be hotlinked if you don't include the explicit denial - many guides and examples just give the allow policy and don't mention the deny part.

Here's my policy, just change BUCKET-NAME and YOUR-WEBSITE to your own details:

{
  "Version": "2008-10-17",
  "Id": "",
  "Statement": [
    {
      "Sid": "Allow in my domains",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::BUCKET-NAME/*",
      "Condition": {
        "StringLike": {
          "aws:Referer": [
            "http://www.YOUR-WEBSITE.com/*"
          ]
        }
      }
    },
    {
      "Sid": "Deny access if referer is not my sites",
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::BUCKET-NAME/*",
      "Condition": {
        "StringNotLike": {
          "aws:Referer": [
            "http://www.YOUR-WEBSITE.com/*"
          ]
        }
      }
    }
  ]
}

Answer 3

Hotlinking is one of the reasons Amazon created Cloudfront. Cloudfront is much much faster to. I did a writeup on it you can look at here.

http://blog.sat.iit.edu/2011/12/amazon-aws-s3-vs-cloudwatch-performance-grudgematch/

edit: S3 and Cloudfront both use the same type of bucket policy to make sure the request comes from the correct url. Cloudfront is still faster though.

Answer 4

By setting up the right S3 bucket policy, you can add referral policy to prevent the hotlink.

http://s3browser.com/working-with-amazon-s3-bucket-policies.php

Answer 5

There's a good tutorial here. Make sure to check out the comments, since there's a whitespace character in the website's code that causes the solution not to work.

Answer 6

I use Apache RewriteMap to remap relative links to select file extensions -- *.jpg, *.gif, *swf, *.fla to Cloudfront. Basically makes the url of your images present as relative links to your site. It doesn't prevent discovery of the S3/cloudfront url totally, just adds a layer of difficulty for the would be thief.

Might be worth a try, apply the hotlink restrictions via htaccess with the above method in place. I haven't tried it myself.

Answer 7

Not really. You could run an EC2 instance and proxy through that.