s3 bucket policy

Question

Hello.
I have an s3 bucket. it's open for getObject for everyone.
I want to allow putObject method only for s3 signed url and cloudfront signed url.
How should I adjust my policy?

Accepted Answer

Hello, you can adjust the bucket policy to include a condition that checks for the presence of a specific query string parameter that is included in the signed URLs. below is example for this:

```
{
    "Version": "2012-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "Allow-put-object-only-with-signed-url",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket-name/*",
            "Condition": {
                "StringLike": {
                    "aws:url-param": "URL-signature=*"
                }
            }
        }
    ]
}

```

This gonna allows putObject for S3 signed URLs that include "url singature" query string parameter. As for the CloudFront signed URLs, you can use cloudfront:signedUrl in the Principal field, and also include a condition that checks the presence of the CloudFront-Signature query string parameter.

```
{
    "Version": "2012-10-17",
    "Id": "CloudFrontPolicyId1",
    "Statement": [
        {
            "Sid": "Allow-put-object-only-with-signed-url",
            "Effect": "Allow",
            "Principal": {"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity"},
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket-name/*",
            "Condition": {
                "StringLike": {
                    "aws:url-param": "CloudFront-Signature=*"
                }
            }
        }
    ]
}
```

s3 bucket policy

Relevanter Inhalt