Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Restricting S3 Bucket Files Access to Website Only

0

I want to configure access to my S3 bucket so that its files can only be accessed from my website.I tried various bucket policy but its not working.s3 bucket policy

  • Leo K EXPERT
    a year ago

    What do you mean when you say it isn't working: are the files not being returned at all when you have that condition in the policy statement? Or are they being returned for requests without the specified "Referer" header value?

Topics
Storage
Tags
S3 Object LockAmazon S3 Access GrantsAmazon Simple Storage Service
Language
English
asked a year ago508 views
2 Answers
0

Hello,

To access the files in the bucket only by website not other then we need to update the S3 bucket policy. I have researched the issue and get one way and sharing it with you. If there are any issue comment me to help you more :)

{
    "Version": "2012-10-17",
    "Id": "Policy1614793348558",
    "Statement": [
        {
            "Sid": "AllowOnlyWebsiteAccess",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::your-bucket-name/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": "https://your-website.com/*"
                }
            }
        },
        {
            "Sid": "DenyAllOthers",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::your-bucket-name/*",
            "Condition": {
                "StringNotLike": {
                    "aws:Referer": "https://your-website.com/*"
                }
            }
        }
    ]
}

Update the policy and try it once.

Thank you:)

EXPERT
answered a year ago
EXPERT
reviewed a year ago
0

Thanks for sharing your policy snippet! One thing to check: AWS S3 does not trust the aws:Referer condition alone for security—it’s easy to spoof, so it’s more of a “polite suggestion” than a locked-down rule.

That said, make sure:

You’re serving the files through static site hosting or CloudFront

The site is actually passing the Referer header (use browser dev tools to confirm)

Try StringEquals instead of StringLike if you’re matching exactly:

json

"aws:Referer": "https://www.example.com/" Also double-check that:

The bucket name and region are correct

There are no conflicting deny policies

Let me know if you want help tweaking the policy further!

answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content