I am trying to secure our AWS S3 bucket to be accessed only from our WordPress website. I have tried to implement this using a blog How to restrict s3 bucket for specific domain name? – Eternal Blog but the problem is not solved, and policies are not working as intended.
2
Answers
Answer:
The way described in that blog is working fine, make sure you create a new bucket and go that way. You can skip the CORS section inside that tutorial.
The issue in mine is that in the previous bucket which was created by my client and he added some rules in the bucket which were not let me do the intended tasks so I just created a new bucket and then followed that blog.
Thanks
Using
referer
to limit traffic is not a reliable security mechanism because it can easily be faked when sending an HTTP request.There is no way to guarantee that content is only "accessed from a custom domain".
The ‘correct’ way to secure content in Amazon S3 is to have users authenticate to a back-end app, and then serve content via Amazon S3 pre-signed URLs, which provide time-limited access to private objects in Amazon S3.