1

I have an s3 bucket policy like this which denies requests if the referer is not listed under 

{
    "Sid": "6",
    "Effect": "Deny",
    "Principal": "*",
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::my_bucket_name/*",
    "Condition": {
        "StringNotLike": {
            "aws:Referer": [
                "http://example1.com/*",
                "http://example2.com/*",
                "https://*amazon.com*/*" 
            ]
        }
    }
}

note i tried https://*amazon.com*/*, https://*aws.amazon.com* ,https://*amazon.com*,http://*amazon.com* my problem is that I am not able to get elastic trasncoders(one of the aws service) referer when it tries to fetch the object and thus the job gives an error like this "You do not have the permissions required to read the specified object from the specified bucket". Note everything works fine if I remove the policy. So my question is that what should I put elastic trancoders referer as?. I tried couple of combinations and searched here and there but all in vain.Please do let me know if you think that there is a better way to this.

  • update:

Also is there is way that i can filter some denied request by bucket policy , for example in above case can i allow a request which is not from above domains but with a particular ip address. from the amazon docs here i saw that first they check for explicit deny and then those deny requests aren't checked is there a way around this?. Any kind of help will be highly appreciated. thanks for your time

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Aameer
  • 1,366
  • 1
  • 11
  • 30

1 Answers1

1

Rather than creating a Bucket Policy that permits access for Amazon Elastic Transcoder, permissions are granted via the service role used by the Transcoder service.

As long as the service role has permissions to access your files in S3, there should be no need to grant it via the Bucket Policy. (Although I am unsure what would happen if you have an active DENY in the bucket policy.)

See: Service Roles for Elastic Transcoder Pipelines

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Update: The [Bucket Policy documentation](https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-4) says "Explicit deny supersedes any permission you might grant to objects in the examplebucket bucket using other means such as ACLs or user policies.", so it might be the case that you can't use DENY in the bucket policy. – John Rotenstein Nov 19 '15 at 11:10
  • thanks for the reply the way I am using elastic trasncoder on backend as mentioned here(http://aameer.github.io/articles/aws-elastic-encoder/). please have a look, maybe that will helpful in explaining to you what could be a solution this issue can be. Also can you please have a look at this question too which is kinda same just the approach is little different (http://stackoverflow.com/questions/33801483/joining-two-conditions-in-amazon-s3-bucket-policy). Thanks for your time. – Aameer Nov 19 '15 at 11:12
  • Moreover I am not creating a bucket policy to allow access to elastic transcoder,it already has that and is working fine if I remover the policy, this policy is for stopping unauthorized access to the content if somehow the attacker manages to get the cloudfront signed urls whose implementation is mentioned here (http://aameer.github.io/articles/cloudfront-singed-urls/). – Aameer Nov 19 '15 at 11:18