Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Amazon S3 Bucket Policy to prevent hot linking
{
"Version": "2008-10-17",
"Id": "0c762de8-f56b-488d-a4a4-20d1cb31df2f",
"Statement": [
{
"Sid": "Allow in my domains",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<Bucket Name>/*",
"Condition": {
"StringLike": {
"aws:Referer": ["http://<allowed referrer site(s)>/*", "http://www.<allowed referrer site(s)>/*"]
}
}
},
{
"Sid": "Give not access if referer is no my sites",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<Bucket Name>/*",
"Condition": {
"StringNotLike": {
"aws:Referer": ["http://<allowed referrer site(s)>/*", "http://www.<allowed referrer site(s)>/*"]
}
}
}
]
}
@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Dec 24, 2014

Hi Alicia,
I'm using Amazon S3 and CloudFront WordPress plugin with this policy. My question may not related to your work but i thought I'd ask it here since I found this while I'm researching for days.

I'm trying to get all my images served from S3, therefore I'm using above plugin. At S3 I have a bucket named cdn.mydomain.com and this bucket is working with CloudFront. I've setup an alternate domain name, cdn.mydomian.com with CloudFront and at my DNS host I'm using a CNAME record to achieve the object URL to look like:
cdn.mydomain.com/image.jpg

Whilst above works fine the same object is also available at below URLs:
s3.amazonaws.com/cdn.mydomian.com/image.jpg
cdn.mydomian.com.s3.amazonaws.com/image.jpg
xyz.cloudfront.net/image.jpg (note that when I do a nslookup cdn.mydomain.com it shows xyz.cloudfront.net)

Is there a way to stop these last three URLs from serving object to the world? I think this is possible with restricting permission at s3 bucket and IAM user used with the plugin. Please let me hear your input. Thank you.

@Greggsterr

This comment has been minimized.

Copy link

@Greggsterr Greggsterr commented Apr 10, 2017

Wow, this is the ONLY policy that I've found that works as it should.. thank you!!

@eva-thientran

This comment has been minimized.

Copy link

@eva-thientran eva-thientran commented Sep 8, 2017

How about a request from mobile app. I mean just allow a request get image when this request from my app

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment