6

I'm trying to edit my S3 bucket configuration such that 3rd party sites can not link to content in it. Also an added benefit is that they can only access content from my domain rather than the supplementary s3bucket.amazon-east.amazonaws.com or something to that effect.

The documentation has an example exactly for this but when I copied/pasted/modified for my website below it does not work? I still get 403 errors. When I take out only the conditional section it allows full access so there is only an issue with the referer section.

It's such a short piece of code I'm beating my head against the wall on...hoping a second set of eyes could enlighten me on something that's probably obvious that I'm missing?

Alternatively there might not be anything wrong with this and there might be additional configurations elsewhere that I haven't set/considered?

Thanks for reading.

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "fml",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::www.mysite.com/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "http://mysite.com/*",
                        "http://www.mysite.com/*"
                    ]
                }
            }
        }
    ]
}
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
npho
  • 111
  • 2
  • 5
  • 3
    did you ever find a solution for this. I'm having the same problem and the documentation is awful – n_i_c_k May 03 '13 at 20:40

2 Answers2

0

Do you have logging enabled for your bucket?

If you do, you could check the logs to verify that a referer is getting logged along with those 403 Access Denied messages and that it's what you expect. If it isn't, then the problem isn't with the bucket configuration -- it's a question of why the referer isn't being sent by the browser.

If you don't have logging enabled, then enable logging.

Also an added benefit is that they can only access content from my domain rather than the supplementary s3bucket.amazon-east.amazonaws.com or something to that effect.

What makes you think this would be true?

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427
0

Its important to note that if your referer includes /* on the end then it will only allow content from children of that referer, but not from that referer itself.

So if you want to include your main domain as well, then you would need to do it like this:

                "aws:Referer": [
                    "http://example.com",
                    "http://example.com/*",
                    "http://www.example.com",
                    "http://www.example.com/*"
                ]
jsherk
  • 6,128
  • 8
  • 51
  • 83