AWS S3 - File access only allowed when coming from a specific domain

Question

Hi

I've added a PDF file to a bucket. I only want people to be able to view it if they are visiting from a specific domain name. If someone had the actual link they wouldn't be allowed to view it unless they were logged in on the allowed domain.

Mank thanks

Answer

Hi

Thanks for this info. I'm really new to AWS & S3. I looked at the Limiting access to specific IP Addresses help doc and noticed Restricting access to a specific HTTP referer. I've played around with that and can get that to only allow access if the user is coming from the allowed domain.

The help doc says to be careful with aws:Referer. Would you say what I am doing could be dangerous?

I modified the sample policy i.e.

{
  "Version":"2012-10-17",
  "Id":"http referer policy example",
  "Statement":[
    {
      "Sid":"Allow get requests originating from www.example.com and example.com.",
      "Effect":"Allow",
      "Principal":"*",
      "Action":["s3:GetObject","s3:GetObjectVersion"],
      "Resource":"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
      "Condition":{
        "StringLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}
      }
    }
  ]
}

Cheers

Answer

I don't think it is possible to restrict from a particular domain but you can restrict the GetObject request to only a set(s) of CIDR addresses. See: Limiting access to specific IP addresses

If you fronted the bucket with CloudFront, you could do something similar using a WAF rule.

AWS S3 - File access only allowed when coming from a specific domain

Relevanter Inhalt