How do I prevent hotlinking on Amazon S3 without using signed URLs?

StackOverflow https://stackoverflow.com/questions/948823

  •  09-09-2019
  •  | 
  •  

Question

Is there any way I can prevent hotlinking on Amazon S3 without using signed URLs?

Was it helpful?

Solution

By setting up the right S3 bucket policy, you can add referral policy to prevent the hotlink.

http://s3browser.com/working-with-amazon-s3-bucket-policies.php

OTHER TIPS

You need a bucket policy that both allows referrers from your domain(s) and denies referrers who are not from your domains. I've found that images can be hotlinked if you don't include the explicit denial - many guides and examples just give the allow policy and don't mention the deny part.

Here's my policy, just change BUCKET-NAME and YOUR-WEBSITE to your own details:

{
  "Version": "2008-10-17",
  "Id": "",
  "Statement": [
    {
      "Sid": "Allow in my domains",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::BUCKET-NAME/*",
      "Condition": {
        "StringLike": {
          "aws:Referer": [
            "http://www.YOUR-WEBSITE.com/*"
          ]
        }
      }
    },
    {
      "Sid": "Deny access if referer is not my sites",
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::BUCKET-NAME/*",
      "Condition": {
        "StringNotLike": {
          "aws:Referer": [
            "http://www.YOUR-WEBSITE.com/*"
          ]
        }
      }
    }
  ]
}

I use Apache RewriteMap to remap relative links to select file extensions -- *.jpg, *.gif, *swf, *.fla to Cloudfront. Basically makes the url of your images present as relative links to your site. It doesn't prevent discovery of the S3/cloudfront url totally, just adds a layer of difficulty for the would be thief.

Might be worth a try, apply the hotlink restrictions via htaccess with the above method in place. I haven't tried it myself.

There's a good tutorial here. Make sure to check out the comments, since there's a whitespace character in the website's code that causes the solution not to work.

It's in their official docs

Change examplebucket to your bucket name, and example.com to your domain.

"Version":"2012-10-17",
"Id":"http referer policy example",
"Statement":[
  {
    "Sid":"Allow get requests originating from www.example.com and example.com.",
    "Effect":"Allow",
    "Principal":"*",
    "Action":"s3:GetObject",
    "Resource":"arn:aws:s3:::examplebucket/*",
    "Condition":{
      "StringLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}
    }
  }
]
}

Hotlinking is one of the reasons Amazon created Cloudfront. Cloudfront is much much faster to. I did a writeup on it you can look at here.

http://blog.sat.iit.edu/2011/12/amazon-aws-s3-vs-cloudwatch-performance-grudgematch/

edit: S3 and Cloudfront both use the same type of bucket policy to make sure the request comes from the correct url. Cloudfront is still faster though.

Not really. You could run an EC2 instance and proxy through that.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top