Amazon Web Services Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – S3 private bucket with Cloudfront access via Signed Url

I have the following setup working:

  • Private S3 buckets with Cloudfront Distribution
  • User logs into portal and has access to files from S3 which are served through Cloudfront Signed Urls valid for a certain period of time.

Currently, it is possible that a user copies that Url via for example Google Debugger and share with others. I wonder if it is possible to further saveguard the files so they can only be opened via the portal domain. I was looking into bucket policies similar to

{
"Version": "2012-10-17",
"Statement": [
    {
        "Principal": "*",
        "Action": "s3:GetObject",
        "Resource": [
            "arn:aws:s3:::/*"
        ],
        "Effect": "Allow",
        "Condition": {
            "StringLike": {
                "aws:Referer": [
                    "http://www.example.com/*",
                    "http://example.com/*"
                ]
            }
        }
    }
]

}

While it works sometimes, it does not all the time. If I request 5 files it would work for 1 and not for 4. I wonder if this has something to do with Cloudfront on top of S3?

Has anyone of you a suggestion how to go about?

Thanks,
Moz

Tags:

2

Answers


  1. 0

    You can use CloudFront Origin Access Control to allow access to S3 bucket objects from your CloudFront distribution only and not through any other URL. You can read about it here – https://aws.amazon.com/blogs/networking-and-content-delivery/amazon-cloudfront-introduces-origin-access-control-oac/

    Login or Signup to reply.
  2. 0

    Using aws:Referer is generally a bad idea. It can be easily faked.

    See: Referer spoofing – Wikipedia

    If you are worried about a pre-signed URL being shared, then reduce the expiry period on the pre-signed URL.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search