AWS S3 - File access only allowed when coming from a specific domain

0

Hi

I've added a PDF file to a bucket. I only want people to be able to view it if they are visiting from a specific domain name. If someone had the actual link they wouldn't be allowed to view it unless they were logged in on the allowed domain.

Mank thanks

2 Answers
0

Hi

Thanks for this info. I'm really new to AWS & S3. I looked at the Limiting access to specific IP Addresses help doc and noticed Restricting access to a specific HTTP referer. I've played around with that and can get that to only allow access if the user is coming from the allowed domain.

The help doc says to be careful with aws:Referer. Would you say what I am doing could be dangerous?

I modified the sample policy i.e.

{ "Version":"2012-10-17", "Id":"http referer policy example", "Statement":[ { "Sid":"Allow get requests originating from www.example.com and example.com.", "Effect":"Allow", "Principal":"", "Action":["s3:GetObject","s3:GetObjectVersion"], "Resource":"arn:aws:s3:::DOC-EXAMPLE-BUCKET/", "Condition":{ "StringLike":{"aws:Referer":["http://www.example.com/","http://example.com/"]} } } ] }

Cheers

Keith
answered 2 years ago
  • It is so easy for the client to set the Referer value to what ever they want. It really does not limit access from those domains.

0

I don't think it is possible to restrict from a particular domain but you can restrict the GetObject request to only a set(s) of CIDR addresses. See: Limiting access to specific IP addresses

If you fronted the bucket with CloudFront, you could do something similar using a WAF rule.

profile pictureAWS
EXPERT
kentrad
answered 2 years ago
profile pictureAWS
EXPERT
Toni_S
reviewed 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions