- 최신
- 최다 투표
- 가장 많은 댓글
Hi
Thanks for this info. I'm really new to AWS & S3. I looked at the Limiting access to specific IP Addresses help doc and noticed Restricting access to a specific HTTP referer. I've played around with that and can get that to only allow access if the user is coming from the allowed domain.
The help doc says to be careful with aws:Referer. Would you say what I am doing could be dangerous?
I modified the sample policy i.e.
{ "Version":"2012-10-17", "Id":"http referer policy example", "Statement":[ { "Sid":"Allow get requests originating from www.example.com and example.com.", "Effect":"Allow", "Principal":"", "Action":["s3:GetObject","s3:GetObjectVersion"], "Resource":"arn:aws:s3:::DOC-EXAMPLE-BUCKET/", "Condition":{ "StringLike":{"aws:Referer":["http://www.example.com/","http://example.com/"]} } } ] }
Cheers
I don't think it is possible to restrict from a particular domain but you can restrict the GetObject request to only a set(s) of CIDR addresses. See: Limiting access to specific IP addresses
If you fronted the bucket with CloudFront, you could do something similar using a WAF rule.
It is so easy for the client to set the Referer value to what ever they want. It really does not limit access from those domains.