S3 Bucket Level Access Help | Video Domain Protection

Question

Admittedly, I'm an amateur when it comes to AWS S3 policy language. A few years ago, I set up a bucket to host videos for an online LMS that I run. I followed a guide that helped me set up the policy for the bucket to make sure no one could watch the video except from an embed run from my LMS's domain.

I'm now in the process of transferring to a new LMS and need to be able to use both domains. Being a developer outside of the AWS eco-sphere, I used simple logic about JSON to add a new domain to my policy. It sort of worked. Instead of getting a complete access denied page upon embedding a video link, I got the video player up and running. But I'm still getting a 403 forbidden error and the video won't play. My policy as it stands is as follows:

```
{
    "Version": "2008-10-17",
    "Id": "Policy1408118342443",
    "Statement": [
        {
            "Sid": "Stmt1408118336209",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::owrvideos/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "MY FIRST DOMAIN/*",
                        " MY NEW DOMAIN/*"
                    ]
                }
            }
        }
    ]
}
```
The old domain (here labeled my first domain) is still working fine. Nevermind that I've changed the aws:Referer from a simple name value pair to an array. but the second domain still doesn't seem to be working.

Any ideas would be very much appreciated.

Answer

Greetings,
The problem might be a subtle typo or whitespace issue in your policy, and here's how you might fix it.

In your provided policy, there's a space before the "MY NEW DOMAIN/*". This space might be causing the comparison to fail, as it won't match the referer header sent by the browser.

Here's the corrected policy:

```
{
    "Version": "2008-10-17",
    "Id": "Policy1408118342443",
    "Statement": [
        {
            "Sid": "Stmt1408118336209",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::owrvideos/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "MY FIRST DOMAIN/*",
                        "MY NEW DOMAIN/*"
                    ]
                }
            }
        }
    ]
}

```

Make sure to replace "MY FIRST DOMAIN/*" and "MY NEW DOMAIN/*" with the actual domain names that you want to use, e.g., "https://www.example.com/*".

Another thing to verify is the exact format of the referer header sent by browsers when accessing content on the new domain. It might be useful to debug the requests from the new domain using browser developer tools or server logs to make sure the referer header matches what you have in your policy.

Also, ensure that you have properly configured CORS (Cross-Origin Resource Sharing) settings if needed, as this might be another source of 403 errors.

Please let me know if I answered your question.

Answer

Is there a "referer" in the header of the new domain's website?  
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-referer  
What happens if I set "referer" directly in the header, etc.?  
```

```

S3 Bucket Level Access Help | Video Domain Protection

관련 콘텐츠