1 Answer
- Newest
- Most votes
- Most comments
0
Hello, you can adjust the bucket policy to include a condition that checks for the presence of a specific query string parameter that is included in the signed URLs. below is example for this:
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "Allow-put-object-only-with-signed-url",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"StringLike": {
"aws:url-param": "URL-signature=*"
}
}
}
]
}
This gonna allows putObject for S3 signed URLs that include "url singature" query string parameter. As for the CloudFront signed URLs, you can use cloudfront:signedUrl in the Principal field, and also include a condition that checks the presence of the CloudFront-Signature query string parameter.
{
"Version": "2012-10-17",
"Id": "CloudFrontPolicyId1",
"Statement": [
{
"Sid": "Allow-put-object-only-with-signed-url",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity"},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/*",
"Condition": {
"StringLike": {
"aws:url-param": "CloudFront-Signature=*"
}
}
}
]
}
answered a year ago
Relevant content
- How allow s3:putobject with inline policy only for the buckets belonging to a specific AWS account ?Accepted Answerasked a year ago
- Accepted Answerasked 9 months ago
- asked a year ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 8 months ago
thank you for answer