When you use bucket policies, a deny always overrides a grant. Because you are denying access to GetObject
from your bucket policy for all accounts (including authenticated users) that don't match your specific referrers list, your app produces Access denied
errors.
By default, objects in S3 have their ACLs set to private. If this is the case with your bucket, then there is no need to have an Allow
and a Deny
rule in your bucket policy. It would be enough to have an Allow
condition that grants anonymous users, which match some specific referrers, the permission to access objects in the bucket.
In the case mentioned above, your bucket policy should look like:
{
"Id": "Policy1380565362112",
"Statement": [
{
"Sid": "Stmt1380565360133",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::cdn.babeswithbraces.com/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.babeswithbraces.com/*",
"http://babeswithbraces.com/*",
"http://64.244.61.40/*"
]
}
},
"Principal": {
"AWS": [
"*"
]
}
}
]
}
If the object ACLs already allow public access you can either remove those ACLs to make the objects private by default or include a Deny
rule in your bucket policy and modify the requests you send to S3 from your app to include the expected referrer header. There is currently no way to have a Deny
rule in your bucket policy that only affects anonymous requests.