Menu
Is there any way I can prevent hotlinking on Amazon S3 without using signed URLs?
502
The easiest way to secure your bucket is by using the AWS Management Console. First select a bucket and click the Properties option within the Actions drop down box. Now select the Permissions tab of the Properties panel. Verify that there is no grant for Everyone or Authenticated Users.
There are two parts to masking your S3 url, the first is creating and naming a bucket in S3 to match the subdomain, the second is creating the subdomain and pointing it to the S3 bucket url.
You need a bucket policy that both allows referrers from your domain(s) and denies referrers who are not from your domains. I've found that images can be hotlinked if you don't include the explicit denial - many guides and examples just give the allow policy and don't mention the deny part.
Here's my policy, just change BUCKET-NAME and YOUR-WEBSITE to your own details:
{ "Version": "2008-10-17", "Id": "", "Statement": [ { "Sid": "Allow in my domains", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::BUCKET-NAME/*", "Condition": { "StringLike": { "aws:Referer": [ "http://www.YOUR-WEBSITE.com/*" ] } } }, { "Sid": "Deny access if referer is not my sites", "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::BUCKET-NAME/*", "Condition": { "StringNotLike": { "aws:Referer": [ "http://www.YOUR-WEBSITE.com/*" ] } } } ] } By setting up the right S3 bucket policy, you can add referral policy to prevent the hotlink.
http://s3browser.com/working-with-amazon-s3-bucket-policies.php
27
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
