Created
September 13, 2012 18:26
-
-
Save alicial/3716433 to your computer and use it in GitHub Desktop.
Amazon S3 Bucket Policy to prevent hot linking
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Version": "2008-10-17", | |
| "Id": "0c762de8-f56b-488d-a4a4-20d1cb31df2f", | |
| "Statement": [ | |
| { | |
| "Sid": "Allow in my domains", | |
| "Effect": "Allow", | |
| "Principal": { | |
| "AWS": "*" | |
| }, | |
| "Action": "s3:GetObject", | |
| "Resource": "arn:aws:s3:::<Bucket Name>/*", | |
| "Condition": { | |
| "StringLike": { | |
| "aws:Referer": ["http://<allowed referrer site(s)>/*", "http://www.<allowed referrer site(s)>/*"] | |
| } | |
| } | |
| }, | |
| { | |
| "Sid": "Give not access if referer is no my sites", | |
| "Effect": "Deny", | |
| "Principal": { | |
| "AWS": "*" | |
| }, | |
| "Action": "s3:GetObject", | |
| "Resource": "arn:aws:s3:::<Bucket Name>/*", | |
| "Condition": { | |
| "StringNotLike": { | |
| "aws:Referer": ["http://<allowed referrer site(s)>/*", "http://www.<allowed referrer site(s)>/*"] | |
| } | |
| } | |
| } | |
| ] | |
| } |
Wow, this is the ONLY policy that I've found that works as it should.. thank you!!
How about a request from mobile app. I mean just allow a request get image when this request from my app
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi Alicia,
I'm using Amazon S3 and CloudFront WordPress plugin with this policy. My question may not related to your work but i thought I'd ask it here since I found this while I'm researching for days.
I'm trying to get all my images served from S3, therefore I'm using above plugin. At S3 I have a bucket named cdn.mydomain.com and this bucket is working with CloudFront. I've setup an alternate domain name, cdn.mydomian.com with CloudFront and at my DNS host I'm using a CNAME record to achieve the object URL to look like:
cdn.mydomain.com/image.jpg
Whilst above works fine the same object is also available at below URLs:
s3.amazonaws.com/cdn.mydomian.com/image.jpg
cdn.mydomian.com.s3.amazonaws.com/image.jpg
xyz.cloudfront.net/image.jpg (note that when I do a nslookup cdn.mydomain.com it shows xyz.cloudfront.net)
Is there a way to stop these last three URLs from serving object to the world? I think this is possible with restricting permission at s3 bucket and IAM user used with the plugin. Please let me hear your input. Thank you.