Howto disable hotlinking for your AWS S3 resources

It is good idea to serve static content (e.g. images, video, …., not a JavaScript files) on AWS S3 instead of from your AWS EC2 server. In this case you reduce the workload on your web application.

The problem is that AWS S3 resources are not available for public by default.

The simple stupid solution is to make them all publicly available.

But what if we are talking about protected Web application where clients should enter credentials first to access the application. And one of the requirement is that all data should be not easily available! E.g. shouldn’t be referenced by other sites (hotlinking) or crawled by the search engines.

AWS S3 for everyone doesn’t work here.

Fortunately you can create the AWS S3 bucket policy which will allows to access the resources only for the particular referrers:

{
 "Version": "2008-10-17",
   "Id": "Vlasenko Access",
   "Statement": [
   {
     "Sid": "AllowPublicRead",
     "Effect": "Allow",
     "Principal": {
       "AWS": "*"
     },
     "Action": "s3:GetObject",
     "Resource": "arn:aws:s3:::TestPolicy/*",
     "Condition": {
       "StringLike": {
         "aws:Referer": [
           "https://vlasenko.org/*",
           "http://vlasenko.guru/*",
           "http://vlasenko.ninja/*"
         ]
       }
     }
   }
 ]
}


The image above available only trough this blog post. Try to copy the URL and paste it into a new tab in your browser. Don’t use Open link in new Tab!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s