Question 250223 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – Block iFrame embeds via S3 bucket policy

I’m trying to prevent people from embedding my website in an iframe except for a specific URL, my primary domain.

I am hosting the entire front-end on an S3 bucket. Is this something that can be accomplished with the S3 Bucket Policy?

Tags:

2

Answers


  1. 0

    You should be able to limit this by using the "aws:Referer" condition.

    Taken from this page:
    https://asecure.cloud/a/s3_http_referrer/

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::/*"
            ],
            "Effect": "Allow",
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "http://www.example.com/*",
                        "http://example.com/*"
                    ]
                }
            }
        }
    ]
}
    Login or Signup to reply.
  2. 0

    Its not really possible with proper authentication and authorization. AWS docs clearly says you shouldn’t relay on aws:Referer:

    Unauthorized parties can use modified or custom browsers to provide any aws:Referer value that they choose. Therefore, do not use aws:Referer to prevent unauthorized parties from making direct AWS requests.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search