Menu
I have uploaded some files to a S3 bucket. In order to restrict access I have set up a bucket policy with HTTP referrer where redirects from a Sharepoint-site is allowed. I use Sharepoint because of the authorization of users that will access the S3-files. This works fine. But only with Firefox!
After searching around it seems that the other browsers (I've tried Chrome and Edge) blocks the HTTP referrer? What gives?
I can give access through AWS and IAM of course, but that complicates things a bit. At this point access control with O365 seems the easiest. But I don't want to force the clients to use Firefox.
(Note: based on the information you could ask why not use Sharepoint to host the files. I have a static html, and it is so easy to set up on S3. But perhaps there are some alternatives on Sharepoint?)
809
consider if that is really what you want, if you use the http referrer policy literally anyone can access that resource, as you can see from this answer: https://security.stackexchange.com/a/135706 so it doesn't give any real protection.
in this case you might decide to just grant anyone access, as taken from the amazon aws documentation:
Granting Read-Only Permission to an Anonymous User
The following example policy grants the s3:GetObject permission to any public anonymous users. (For a list of permissions and the operations that they allow, see Specifying Permissions in a Policy.) This permission allows anyone to read the object data, which is useful for when you configure your bucket as a website and want everyone to be able to read objects in the bucket.
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::examplebucket/*"]
}
]
}
Warning Use caution when granting anonymous access to your S3 bucket. When you grant anonymous access, anyone in the world can access your bucket. We highly recommend that you never grant any kind of anonymous write access to your S3 bucket.
63
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
