amazon S3 bucket policy - restricting access by referer BUT not restricting if urls are generated via query string authentication

Question

I have the following bucket policy set on my bucket:

{

"Version": "2008-10-17",

"Id": "My access policy",

"Statement": [

     {

 "Sid": "Allow only requests from our site",

 "Effect": "Allow",

 "Principal": { "AWS": "*"},

 "Action": "s3:GetObject",

 "Resource": "arn:aws:s3:::my_bucket/*",

 "Condition": {

   "StringLike": {

      "aws:Referer": [" http://mydomain.com/*"," http://www.mydomain.com/*"]

        }

              }

 },

{

   "Sid": "Dont allow direct acces to files  when no referer is present",

   "Effect": "Deny",

   "Principal": {"AWS": "*" },

  "Action": "s3:GetObject",

  "Resource": "arn:aws:s3:::my_bucket/*",

  "Condition": {

  "Null": {"aws:Referer": true }

         }

         }

]

  }

I also configured query string authentication, but it looks like I can't have both. If I have my bucket policies set to deny any request that doesn't originate from mydomain, my temporary url using query string authentication will also not get served. So my question is, how can i have both ? Is there a way to check for url parameters and see if it has a parameter called "Signature" and in that case not apply the referer policy?

Answer 1

Remove the space in the referrers string " http://mydomain.com/*" that's wrong... the Amazon examples made that mistake too.

For the second statement the easier way to solve it is to remove that entire statement and have your files permissions (ACLs) set to private (Owner-Read/Write and World-NoRead/NoWrite)

I am not sure, but in appears that even if you have a Deny Statement a file can still be read if it has a public permission (World Read).

Also, if you are distributing the files on CloudFront remember to allow it to read the bucket too. So a complete bucket policy will look like:

{
"Version": "2008-10-17",
"Id": "YourNetwork",
"Statement": [
    {
        "Sid": "Allow get requests to specific referrers",
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::yourbucket/*",
        "Condition": {
            "StringLike": {
                "aws:Referer": [
                    "http://www.yourwebsite.com/*",
                    "http://yourwebsite.com/*"
                ]
            }
        }
    },
    {
        "Sid": "Allow CloudFront get requests",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::12345678:root"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::yourbucket/*"
    }
]
}

(change the 12345678 to your AWS account ID number without the dashes)