Skip to content

@alicial /amz-s3-bucket-policy
Created

Embed URL

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Amazon S3 Bucket Policy to prevent hot linking
{
"Version": "2008-10-17",
"Id": "0c762de8-f56b-488d-a4a4-20d1cb31df2f",
"Statement": [
{
"Sid": "Allow in my domains",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<Bucket Name>/*",
"Condition": {
"StringLike": {
"aws:Referer": ["http://<allowed referrer site(s)>/*", "http://www.<allowed referrer site(s)>/*"]
}
}
},
{
"Sid": "Give not access if referer is no my sites",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<Bucket Name>/*",
"Condition": {
"StringNotLike": {
"aws:Referer": ["http://<allowed referrer site(s)>/*", "http://www.<allowed referrer site(s)>/*"]
}
}
}
]
}
@majgin

Hi Alicia,
I'm using Amazon S3 and CloudFront WordPress plugin with this policy. My question may not related to your work but i thought I'd ask it here since I found this while I'm researching for days.

I'm trying to get all my images served from S3, therefore I'm using above plugin. At S3 I have a bucket named cdn.mydomain.com and this bucket is working with CloudFront. I've setup an alternate domain name, cdn.mydomian.com with CloudFront and at my DNS host I'm using a CNAME record to achieve the object URL to look like:
cdn.mydomain.com/image.jpg

Whilst above works fine the same object is also available at below URLs:
s3.amazonaws.com/cdn.mydomian.com/image.jpg
cdn.mydomian.com.s3.amazonaws.com/image.jpg
xyz.cloudfront.net/image.jpg (note that when I do a nslookup cdn.mydomain.com it shows xyz.cloudfront.net)

Is there a way to stop these last three URLs from serving object to the world? I think this is possible with restricting permission at s3 bucket and IAM user used with the plugin. Please let me hear your input. Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.