Restricting S3 bucket files to an specific domain using Referer header and Cloudfront not working

Question

I want to securely play my video files on my website without anyone being able to download them. My videos are hosted on an S3 bucket and can be accessed through cloudfront. But whenever I play the video in my website, it shows a 403 error.

Here is the S3 bucket policy:

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "AllowCloudFrontServicePrincipal",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<my-bucket>/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:cloudfront::<cloudfront>:distribution/<cloudfront-distribution>"
                },
                "StringLike": {
                    "aws: Referer": "https://my-domain.com/*"
                }
            }
        }
    ]
}

I am not sure what's wrong. I have tried so many different stuff. I customized all the cloudfront behavior policies to include the Referer header. But nothing works.

Now, as mentioned earlier, I only want to play the videos on my website without anyone being able to download them. If there are any other ways I can do this please tell me. I don't want top-level security. I just want to make it a little bit harder for people to download the videos.

Thank you!

Does this answer your question? [Restricting access to AWS S3 bucket based on referer](https://stackoverflow.com/questions/46010789/restricting-access-to-aws-s3-bucket-based-on-referer) — michail_w, Mar 16 '23 at 13:09
See [can I prevent video being downloaded?](https://stackoverflow.com/questions/9756837/prevent-html5-video-from-being-downloaded-right-click-saved) Also, [referer spoofing](https://en.wikipedia.org/wiki/Referer_spoofing). — jarmod, Mar 16 '23 at 15:28
@michail_w It does not. I tried this by customizing all of the cloudfront behavior policies to include Referer header. But it seems like for some reason it is not working. — NinjaByte, Mar 17 '23 at 15:32
@NinjaByte did you catch you have a whitespace in `"aws: Referer"`? — michail_w, Mar 17 '23 at 15:53
@michail_w Thanks man! I was so dumb to not check that . It works fine now. Thanks again! :D — NinjaByte, Mar 18 '23 at 02:59

score 0 · Accepted Answer · answered Mar 18 '23 at 03:04

0

The main problem was the space between "aws: Referer". It should've been "aws:Referer".

answered Mar 18 '23 at 03:04

NinjaByte

1
1

Restricting S3 bucket files to an specific domain using Referer header and Cloudfront not working

1 Answers1