Amazon S3 domain level privacy

Question

I have to use the Amazon S3 to store interactive video files created by Camtasia. Then I have to display these videos on a website with iframe on a specific domain, without turning these files public. It is a feature at Vimeo called domain-level privacy, which means that you can choose what specific website you want to allow your video to be embedded on.

How can I achieve it at the Amazon S3?

score 1 · Answer 1 · answered Aug 09 '19 at 14:09

I've already reached the point where I can control the access of a file with the Bucket Policy this way:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mybucket/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": "http://myurl.hu/*"
                }
            }
        }
    ]
}

It would be fine if I call a single file in the iframe but I have to get a .html file which has links in it to other .js files from the same bucket directory. And the I get the 403 codes.

Side-note: It is possible for people to fake the `Referer`, so don't rely on this level of protection for sensitive data. — John Rotenstein, Aug 11 '19 at 02:23

score 0 · Accepted Answer · answered Aug 13 '19 at 15:06

0

Problem solved.

The iframe redefined the "referer", that's why the amazon blocked the sources within it.

answered Aug 13 '19 at 15:06

makesz1

43
6

Amazon S3 domain level privacy

2 Answers2