How to restrict access to an S3 bucket by domain or app?

How to restrict access to an S3 bucket by domain or app?
0

Hi,

I created an S3 bucket with a subfolder containing several images that I want to use in my app. Right now, all public access is blocked (the default settings) so if I try to access the AWS-generated Object URL for an image, I get an Access Denied error.

I want to be able to use the images in an app (ex. myapp.mysite.com) but right now, if I use the URL as the src value of an img tag, it won’t work. At the same time, I don’t want my images buckets to be visible and accessible to everyone. Is there a way to restrict access to files inside a bucket to a sub/domain?

Hello and welcome to the forum :partying_face:!

I don’t have that much experience with AWS (nor I have access to an AWS account :stuck_out_tongue:) , so I will give You this link that shows how to do it.

Now, there is something that seems weird:

I don’t want my images to be visible and accessible to everyone

I mean, You can restrict access to a specific domain to the bucket, but anyone with access to Your app will be able to download the images, which means a robot/crawler/scrapper will be able to download them too :thinking:.

Hi @skaparate, that’s a typo. I meant buckets not images. The images would be public (anyone using my app can view and download them) but I don’t want just anyone to access the rest of the bucket or see its other contents.

The main reason I’m looking at restricting the images to my domain is that I don’t want them to be used (or linked) anywhere else on the web because I’m the one paying for the costs of requests and data retrieval.

1 Like

I think I figured it out, so I’m going to share what I did. I followed the example given under Restricting Access to a Specific HTTP Referer to generate a new policy using the AWS Policy Generator.

Principal: *
Effect: Allow
Action: s3:GetObject
ARN: the ARN of the subfolder that contains my images

Then I added this condition:

  • Condition: StringLike
  • Key: aws:Referer
  • Value: the app URL

You can also optionally include a condition for an explicit deny (as outlined in the example).

1 Like

Cool :partying_face:!

Thanks for sharing :slight_smile:,

Regards!

1 Like