Amazon S3 Bucket Policy for Specific Referer URL only

Here is an example bucket policy below for Amazon S3 that will limit it to a Specific Referer and URL only, so that your content can not be linked to from other websites.

{
 "Version": "2012-10-17",
 "Id": "HttpsRefererPolicyForMySite",
 "Statement": [
 {
 "Sid": "AllowGetRequestsReferredUrlSpecificForMySite",
 "Effect": "Allow",
 "Principal": "*",
 "Action": "s3:GetObject",
 "Resource": "arn:aws:s3:::my-bucket-name/*",
 "Condition": {
 "StringLike": {
 "aws:Referer": [
 "https://mysite.com/this-specific-page-only",
 "https://mysite.com/only-child-pages-of-this-page/*",
 "https://mysite.com/this-specific-page-and-child-pages*"
 ]
 }
 }
 },
 {
 "Sid": "ExplicitDenyIfNotUrlSpecificForMySite",
 "Effect": "Deny",
 "Principal": "*",
 "Action": "s3:GetObject",
 "Resource": "arn:aws:s3:::my-bucket-name/*",
 "Condition": {
 "StringNotLike": {
 "aws:Referer": [
 "https://mysite.com/this-specific-page-only",
 "https://mysite.com/only-child-pages-of-this-page/*",
 "https://mysite.com/this-specific-page-and-all-child-pages*"
 ]
 }
 }
 }
 ]
}

As a couple points of interest, note that for one specific URL to work, you should NOT put /* on the end of it. To specify a specific URL, you use it like this:
https://mysite.com/this-specific-page-only

If you specify a URL with /* on the end, then it will only work for children of that URL, not the specific URL itself. For example, if you use this:
https://mysite.com/only-child-pages-of-this-page/*
then content will NOT play on the specific URL https://mysite.com/only-child-pages-of-this-page but WILL only play on https://mysite.com/only-child-pages-of-this-page/any-other-page

So if you want content to be available on your whole site (including the main domain), you will need to include BOTH the following:
https://mysite.com
https://mysite.com/*

However this sitll will not work for a url with extra GET data, such as:
https://mysite.com?data=123

So to include this you need add the * to the end without the slash, and this will inlcude the specific page as well as all child pages:
https://mysite.com*

 

SHARE THIS POST ON YOUR FAVORITE SOCIAL NETWORK:
  • email
  • Print
  • RSS
  • Facebook
  • Twitter
  • Digg
  • del.icio.us
  • LinkedIn
  • Google Buzz
  • Google Bookmarks
  • Yahoo! Buzz
  • MySpace
  • Reddit
  • StumbleUpon
  • Technorati
  • Slashdot
  • Blogosphere
  • MSN Reporter
  • MyShare
  • Propeller
  • Tumblr

Leave a Reply