Simple example to restrict access to Cloudfront(S3) files from some users but not others

Question

I'm just getting started with permissions on AWS S3 and Cloudfront so please take it easy on me.

Two main questions:

I'd like to allow access to some users (e.g., those that are logged in) but not others. I assume I need to be using ACLs instead of a bucket policy since the former is more customizable in that you can identify the user in the URL with query parameters. First of all is this correct? Can someone point me to the plainest english description of how to do this on a file/user-by-file/user basis? The documentation on ACL confuses the heck out of me.
I'd also like to restrict access such that people can only view content on my-site.com and not your-site.com. Unfortunately the S3 documentation example bucket policy for this has no effect on access for my demo bucket (see code below, slightly adapted from AWS docs). Moreover, if I need to foremost be focusing on allowing user-by-user access, do I even want to be defining a bucket policy?

I realize i'm not even touching on how to make this work in the context of Cloudfront (the ultimate goal) but any thoughts on questions 1 and 2 would be greatly appreciated and mentioning Cloudfront would be a bonus at this point.

`

{
    "Version": "2008-10-17",
     "Id":"http referer policy example",
    "Statement": [
        {
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "https://mysite.com/*",
                        "https://www.mysite.com/*"
                    ]
                }
            }
        }
    ]
}

score 3 · Answer 1 · edited May 23 '17 at 12:01

3

To restrict access to CDN, to serve what we call "private content" you need to use the API to generated signed URLs and you can define the expiration of the URL. More information is here.
You can use the Origin Access Identity—as explained here—to prevent the content from being served outside cloudfront.

I thought I had some code here from a past project to share and didn't. But, at least I was able to dig into my bookmarks and find one of the references that helped me in the process, and there is another post here at stackoverflow that mentions the same reference. See below the link to the reference and to the post.

http://improve.dk/how-to-set-up-and-serve-private-content-using-s3/

Cloudfront private content + signed urls architecture

Well, it is two years old, you might have to change it a little bit here and there, but you'll get the idea.

edited May 23 '17 at 12:01

Community

1
1

answered Sep 18 '13 at 19:32

Felipe Garcia

2,263
1
16
19

thanks @Felipe, do you have any code in any language that can provide an example? – tim peterson Sep 18 '13 at 20:42
I might have some bits and pieces from a past project. I'll dig into to it and post to you. – Felipe Garcia Sep 18 '13 at 22:39
1

Unfortunately I haven't found the source code that I produced, but at least I found some references I'v used in the past. See the updated answer. – Felipe Garcia Sep 18 '13 at 22:42

Simple example to restrict access to Cloudfront(S3) files from some users but not others

1 Answers1

Linked