1

I have looked into below answer but it talks about Origin Access Identity for private content and signed URLs. My content is not private, it is open for public but I dont want other websites to hotlink to my images. In other words, images on my site should be access via my URLs under my domain.

Simple example to restrict access to Cloudfront(S3) files from some users but not others

I've followed below document to create OAI on my CloudFront distribution.
http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

After apply OAI on my distribution, something weird happened. I could access some images, and some I could not.
And when working from localhost I could not access the CloudFront images.

Is there a way I can specify which domains have access to my resources and which ones do not? Like this?

{
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "http://example.com/*",
                        "localhost:*"
                    ]
                }
            }
        }
Community
  • 1
  • 1
Null Head
  • 2,877
  • 13
  • 61
  • 83

1 Answers1

1

The "block" action via a policy like you have has to happen at the Cloudfront level. S3 won't factor in except when it's being queried for new content (which might explain why you had weird issues trying to access the images).

If your issue is essentially trying to block hotlinking, then unfortunately, I believe the only way to handle this via AWS is with Signed URL's: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html

Here's a Stack thread on the subject: Preventing Amazon Cloudfront hotlinking

Just to give you an alternative that is simpler, though requires occasional manual updating, here is what I've done in the past. The core of it is to put a CNAME on your Cloudfront distribution, like assets-1.yoursite.com. After a few months, if you find you are being hotlinked to, you can just change the CNAME to assets-2.yoursite.com, and then update your site to use the new URL. If you have a single variable that controls the CDN path for your site, this could be a quick fix.

It's explained in depth here: http://www.explainthatstuff.com/blocking-cloudfront-hotlinks.html

You could then use the Cloudfront 'Popular Objects' and 'Top Referrer' analytics sections in the AWS console to monitor the amount of traffic coming from other sites to see when it would be a good time to switch CNAME's.

Community
  • 1
  • 1
TS7
  • 11
  • 1