How do I prevent hotlinking on Amazon S3 without using signed URLs?

Question

Is there any way I can prevent hotlinking on Amazon S3 without using signed URLs?

Ollie Glass · Answer 1 · 2013-09-24T10:06:33.643

You need a bucket policy that both allows referrers from your domain(s) and denies referrers who are not from your domains. I've found that images can be hotlinked if you don't include the explicit denial - many guides and examples just give the allow policy and don't mention the deny part.

Here's my policy, just change BUCKET-NAME and YOUR-WEBSITE to your own details:

{
  "Version": "2008-10-17",
  "Id": "",
  "Statement": [
    {
      "Sid": "Allow in my domains",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::BUCKET-NAME/*",
      "Condition": {
        "StringLike": {
          "aws:Referer": [
            "http://www.YOUR-WEBSITE.com/*"
          ]
        }
      }
    },
    {
      "Sid": "Deny access if referer is not my sites",
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::BUCKET-NAME/*",
      "Condition": {
        "StringNotLike": {
          "aws:Referer": [
            "http://www.YOUR-WEBSITE.com/*"
          ]
        }
      }
    }
  ]
}

Thanks for this. This really helped me and worked well. My only suggestion is that perhaps you also just add an entry for "http://YOUR-WEBSITE.com/*" to the answer just to cover all bases as that's where my hiccups were. Cheers for the perfect script though. — Paolo Broccardo, Sep 17 '13 at 17:20
This works great but how do I allow empty referrers? When linking to images via CSS the referrer is empty and images are not displaying. — prophoto, Nov 03 '16 at 20:17

score 12 · Accepted Answer · answered Sep 20 '11 at 21:12

12

By setting up the right S3 bucket policy, you can add referral policy to prevent the hotlink.

http://s3browser.com/working-with-amazon-s3-bucket-policies.php

answered Sep 20 '11 at 21:12

Robert Mao

1,911
22
24

23

Please post an answer here, rather than linking to an answer. – Ollie Glass Feb 21 '13 at 14:02

score 3 · Answer 3 · answered Aug 08 '09 at 07:39

3

I use Apache RewriteMap to remap relative links to select file extensions -- *.jpg, *.gif, *swf, *.fla to Cloudfront. Basically makes the url of your images present as relative links to your site. It doesn't prevent discovery of the S3/cloudfront url totally, just adds a layer of difficulty for the would be thief.

Might be worth a try, apply the hotlink restrictions via htaccess with the above method in place. I haven't tried it myself.

answered Aug 08 '09 at 07:39

Huh? Doesn't that mean that every image request has to go to your server before it can go to the CloudFront server? If so, doesn't that defeat the point of using a CDN? (It wouldn't for really big files like video, but for images?) – Doug McClean Sep 12 '09 at 05:20
The request will hit your web server and the browser is told where it should go to fetch the file, but the browser's history is never updated with the actual URL to the CDN. This is essentially the same trick behind "routes" in most front end controller frameworks, but in this case the request is never forwarded to the application server, only Apache. – Butifarra Nov 07 '09 at 22:17
@Claude, if instead of browser, download-managers are used, or something like curl / wget is used, won't the redirect be transparent, and thus be a way to enable hotlinking ? – bdutta74 Nov 04 '11 at 13:57
1

@icarus74 Sorry for the late reply. Sure, any tool capable of browsing and understanding HTTP codes should be able to follow the redirect to the CDN in effect negating the effect of the rule suggested by maddie. The best course of action is to protect your CDN from unwanted requests by setting bucket policies as suggested by Robert Mao's link above. – Butifarra Dec 27 '11 at 22:22

score 3 · Answer 4 · answered Sep 16 '16 at 02:55

It's in their official docs

Change examplebucket to your bucket name, and example.com to your domain.

"Version":"2012-10-17",
"Id":"http referer policy example",
"Statement":[
  {
    "Sid":"Allow get requests originating from www.example.com and example.com.",
    "Effect":"Allow",
    "Principal":"*",
    "Action":"s3:GetObject",
    "Resource":"arn:aws:s3:::examplebucket/*",
    "Condition":{
      "StringLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}
    }
  }
]
}

score 1 · Answer 5 · answered Jun 20 '11 at 00:10

1

There's a good tutorial here. Make sure to check out the comments, since there's a whitespace character in the website's code that causes the solution not to work.

answered Jun 20 '11 at 00:10

edrevo

1,147
13
17

jeremyjjbrown · Answer 6 · 2011-12-29T16:59:03.950

0

Hotlinking is one of the reasons Amazon created Cloudfront. Cloudfront is much much faster to. I did a writeup on it you can look at here.

http://blog.sat.iit.edu/2011/12/amazon-aws-s3-vs-cloudwatch-performance-grudgematch/

edit: S3 and Cloudfront both use the same type of bucket policy to make sure the request comes from the correct url. Cloudfront is still faster though.

edited Dec 29 '11 at 16:59

answered Dec 29 '11 at 16:50

jeremyjjbrown

7,772
5
43
55

1

Cloudfront doesn't prevent hotlinking or respect S3 policies – Ollie Glass Feb 10 '13 at 12:37

score -2 · Answer 7 · answered Jun 04 '09 at 06:17

-2

Not really. You could run an EC2 instance and proxy through that.

answered Jun 04 '09 at 06:17

Joe Beda

2,743
1
19
16

2

uhhhhh. no. that defeats the purpose of a CDN. – FlavorScape Mar 25 '14 at 16:58

How do I prevent hotlinking on Amazon S3 without using signed URLs?

7 Answers7

Linked