0

I am trying to set up things on S3 to prevent hotlinking.

I've taken advice from here: How do I prevent hotlinking on Amazon S3 without using signed URLs?

And also this one: https://kinsta.com/blog/hotlinking/

However, I can't get it to work.

First, I prevent all public access to the bucket so the settings on the Permissions tab are like this:

enter image description here

I have set the policy like this:

{
    "Version": "2008-10-17",
    "Id": "HTTP referer policy example",
    "Statement": [
        {
            "Sid": "prevent hotlinking",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mybucket/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "http://example.co.uk/*",
                        "http://www.example.co.uk/*",
                        "https://example.co.uk/*",
                        "https://www.example.co.uk/*",
                        "http://localhost/01-example/*"
                    ]
                }
            }
        }
    ]
}

However, when I try to access content from the bucket from the referring site, I cannot see the S3 content.

What am I doing wrong?

4532066
  • 2,042
  • 5
  • 21
  • 48

2 Answers2

0

I prevent all public access to the bucket so the settings on the Permissions tab are like this.

That's why it does not work. Your policy allows for public/anonymous access ("Principal": {"AWS": "*"}), but at the same time you explicitly "prevent all public access". You have to enable the public access. From docs:

Before you use a bucket policy to grant read-only permission to an anonymous user, you must disable block public access settings for your bucket.

Marcin
  • 215,873
  • 14
  • 235
  • 294
0

Blocking public access options will override any other configuration you're using, for this reason your bucket policy will not take effect.

To allow your policy to work you will need to disable this, you might choose to keep several of the options enabled to prevent further changes being made to the bucket policy.

On a related note to your policy, the Referer header can be faked to still access these assets so it should not be treated as a silver bullet.

Another solution to use would be to either use an S3 signed URL or to take a look at using a CloudFront distribution in front of your S3 bucket and then making use of a signed cookie.

Chris Williams
  • 32,215
  • 4
  • 30
  • 68