Amazon S3 bucket policy allow access to ONLY specific http

Question

I'm trying to restrict access to objects (media files) in an Amazon S3 bucket to a specific referral domain, privatewebsite.com, with a bucket policy, but keep getting access denied, no matter the domain referred.

I have the following settings for Block Public Access

Block public access to buckets and objects granted through new access control lists (ACLs) - On

Block public access to buckets and objects granted through any access control lists (ACLs) - On

Block public access to buckets and objects granted through new public bucket policies - Off

Block public and cross-account access to buckets and objects through any public bucket policies - Off

I've added the following code, URL with and without, http:// and https://, yet still get access denied. (privatewebsite.com, https://privatewebsite.com, http://privatewebsite.com)

{
    "Version": "2012-10-17",
    "Id": "Policy8675309",
    "Statement": [
        {
            "Sid": "Stmt8675309",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-media-bucket/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": "https://privatewebsite.com"
                }
            }
        },
        {
            "Sid": "Explicit deny to ensure requests are allowed only from specific referer.",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::my-media-bucket/*",
            "Condition": {
                "StringNotLike": {
                    "aws:Referer": [
                        "https://privatewebsite.com/*",
                        "http://privatewebsite.com/*"
                    ]
                }
            }
        }
    ]
}

Can anyone see any obvious errors in my bucket policy?

I expect this policy to ALLOW any request, when coming from a page on privatewebsite.com, while DENY-ing all other requests, but at the moment ALL requests are denied.

Answer 1

From Bucket Policy Examples - Restricting Access to a Specific HTTP Referrer:

{
    "Version": "2012-10-17",
    "Id": "http referer policy example",
    "Statement": [
        {
            "Sid": "Allow get requests originating from www.example.com and example.com.",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::examplebucket/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "http://www.example.com/*",
                        "http://example.com/*"
                    ]
                }
            }
        }
    ]
}

This method only grants Allow access for the given Referer. There is no need to use a Deny policy with it because access is denied by default. Thus, only the Allow permissions are granted.

Answer 2

Try this for you string-like section (allow section):

        "StringLike": {
            "aws:Referer": [
                "https://privatewebsite.com/*",
                "http://privatewebsite.com/*"
            ]
        }