By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

S3 Bucket Level Access Help | Video Domain Protection

1

Admittedly, I'm an amateur when it comes to AWS S3 policy language. A few years ago, I set up a bucket to host videos for an online LMS that I run. I followed a guide that helped me set up the policy for the bucket to make sure no one could watch the video except from an embed run from my LMS's domain.

I'm now in the process of transferring to a new LMS and need to be able to use both domains. Being a developer outside of the AWS eco-sphere, I used simple logic about JSON to add a new domain to my policy. It sort of worked. Instead of getting a complete access denied page upon embedding a video link, I got the video player up and running. But I'm still getting a 403 forbidden error and the video won't play. My policy as it stands is as follows:

{
    "Version": "2008-10-17",
    "Id": "Policy1408118342443",
    "Statement": [
        {
            "Sid": "Stmt1408118336209",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::owrvideos/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "MY FIRST DOMAIN/*",
                        " MY NEW DOMAIN/*"
                    ]
                }
            }
        }
    ]
}

The old domain (here labeled my first domain) is still working fine. Nevermind that I've changed the aws:Referer from a simple name value pair to an array. but the second domain still doesn't seem to be working.

Any ideas would be very much appreciated.

Topics
Security, Identity, & ComplianceStorage
Tags
IAM PoliciesS3 Select
Language
English
landdeld
asked 9 months ago240 views
2 Answers
5

Greetings, The problem might be a subtle typo or whitespace issue in your policy, and here's how you might fix it.

In your provided policy, there's a space before the "MY NEW DOMAIN/*". This space might be causing the comparison to fail, as it won't match the referer header sent by the browser.

Here's the corrected policy:

{
    "Version": "2008-10-17",
    "Id": "Policy1408118342443",
    "Statement": [
        {
            "Sid": "Stmt1408118336209",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::owrvideos/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "MY FIRST DOMAIN/*",
                        "MY NEW DOMAIN/*"
                    ]
                }
            }
        }
    ]
}

Make sure to replace "MY FIRST DOMAIN/" and "MY NEW DOMAIN/" with the actual domain names that you want to use, e.g., "https://www.example.com/*".

Another thing to verify is the exact format of the referer header sent by browsers when accessing content on the new domain. It might be useful to debug the requests from the new domain using browser developer tools or server logs to make sure the referer header matches what you have in your policy.

Also, ensure that you have properly configured CORS (Cross-Origin Resource Sharing) settings if needed, as this might be another source of 403 errors.

Please let me know if I answered your question.

AWS
EXPERT
ZJon
answered 9 months ago
0

Is there a "referer" in the header of the new domain's website?
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-referer
What happens if I set "referer" directly in the header, etc.?

<meta name="referer" content="origin">
profile picture
EXPERT
Riku_Kobayashi
answered 9 months ago
profile picture
EXPERT
Gary Mclean
reviewed 9 months ago
  • Riku_Kobayashi EXPERT
    9 months ago

    As for the bucket policy, all are set to Deny as follows. By setting "StringNotLike", access from domains other than the one you have set will be denied.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Public Read Bucket Objects",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::xxxx.xxxx.xx/*"
        },
        {
            "Sid": "Referer Deny",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::xxxx.xxxx.xx/*",
            "Condition": {
                "StringNotLike": {
                    "aws:Referer": [
                        "http://sitea.xxx/*",
                        "http://siteb.xxxxx/*"
                    ]
                }
            }
        }
    ]
}

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content