Question:
I’m trying to edit my S3 bucket configuration such that 3rd party sites can not link to content in it. Also an added benefit is that they can only access content from my domain rather than the supplementary s3bucket.amazon-east.amazonaws.com or something to that effect.
The documentation has an example exactly for this but when I copied/pasted/modified for my website below it does not work? I still get 403 errors. When I take out only the conditional section it allows full access so there is only an issue with the referer section.
It’s such a short piece of code I’m beating my head against the wall on…hoping a second set of eyes could enlighten me on something that’s probably obvious that I’m missing?
Alternatively there might not be anything wrong with this and there might be additional configurations elsewhere that I haven’t set/considered?
Thanks for reading.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
{ "Version": "2008-10-17", "Statement": [ { "Sid": "fml", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::www.mysite.com/*", "Condition": { "StringLike": { "aws:Referer": [ "http://mysite.com/*", "http://www.mysite.com/*" ] } } } ] } |
Answer:
Do you have logging enabled for your bucket?
If you do, you could check the logs to verify that a referer is getting logged along with those 403 Access Denied messages and that it’s what you expect. If it isn’t, then the problem isn’t with the bucket configuration — it’s a question of why the referer isn’t being sent by the browser.
If you don’t have logging enabled, then enable logging.
Also an added benefit is that they can only access content from my domain rather than the supplementary s3bucket.amazon-east.amazonaws.com or something to that effect.
What makes you think this would be true?