I have created a bucket policy to try and stop hotlinking to my S3 files from people who gain the direct URL. I only want my website to be able to access those files. However when I direct link even with the below policy, it still allows access to the file. The files are all set to public.
{
"Id": "Policy1491040992219",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt14910401236760",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringLike": {
"aws:Referer": "https://mywebsite.com/*"
}
},
"Principal": "*"
},
{
"Sid": "Stmt14910403436760",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringLike": {
"aws:Referer": "http://localhost:8888/*"
}
},
"Principal": "*"
}
]
}
Do I need to change any settings on the actual S3 bucket settings to stop all access?
Thanks!
You are missing the Deny statement. Try this policy:
{
"Version": "2008-10-17",
"Id": "Policy1491040992219",
"Statement": [
{
"Sid": "Stmt14910401236760",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"https://mywebsite.com/*",
"http://localhost:8888/*"
]
}
}
},
{
"Sid": "Stmt14910401236761",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"https://mywebsite.com/*",
"http://localhost:8888/*"
]
}
}
}
]
}