{"id":6136,"date":"2019-07-08T06:07:13","date_gmt":"2019-07-08T06:07:13","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=6136"},"modified":"2025-02-01T22:48:56","modified_gmt":"2025-02-01T22:48:56","slug":"prevent-direct-download-of-photos-video-files-from-amazon-s3","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/prevent-direct-download-of-photos-video-files-from-amazon-s3\/","title":{"rendered":"Prevent direct download of photos\/video files from amazon s3"},"content":{"rendered":"\n<p>You can restrict access based on the HTTP referrer. It&#8217;s not bulletproof (Referrer can be spoofed) but it will stop casual downloads.<\/p>\n\n\n\n<p>Suppose you have a website with domain name (www.devopsschool.com or devopsschool.com) with links to photos and videos stored in your S3 bucket, examplebucket. By default, all the S3 resources are private, so only the AWS account that created the resources can access them. To allow read access to these objects from your website, you can add a bucket policy that allows s3:GetObject permission with a condition, using the aws:Referer key, that the get request must originate from specific webpages. The following policy specifies the StringLike condition with the aws:Referer condition key.<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-1\" data-shcb-language-name=\"JSON \/ JSON with Comments\" data-shcb-language-slug=\"json\"><span><code class=\"hljs language-json\">{\n  <span class=\"hljs-attr\">\"Version\"<\/span>:<span class=\"hljs-string\">\"2012-10-17\"<\/span>,\n  <span class=\"hljs-attr\">\"Id\"<\/span>:<span class=\"hljs-string\">\"http referer policy example\"<\/span>,\n  <span class=\"hljs-attr\">\"Statement\"<\/span>:&#91;\n    {\n      <span class=\"hljs-attr\">\"Sid\"<\/span>:<span class=\"hljs-string\">\"Allow get requests originating from www.example.com and example.com.\"<\/span>,\n      <span class=\"hljs-attr\">\"Effect\"<\/span>:<span class=\"hljs-string\">\"Allow\"<\/span>,\n      <span class=\"hljs-attr\">\"Principal\"<\/span>:<span class=\"hljs-string\">\"*\"<\/span>,\n      <span class=\"hljs-attr\">\"Action\"<\/span>:<span class=\"hljs-string\">\"s3:GetObject\"<\/span>,\n      <span class=\"hljs-attr\">\"Resource\"<\/span>:<span class=\"hljs-string\">\"arn:aws:s3:::examplebucket\/*\"<\/span>,\n      <span class=\"hljs-attr\">\"Condition\"<\/span>:{\n        <span class=\"hljs-attr\">\"StringLike\"<\/span>:{<span class=\"hljs-attr\">\"aws:Referer\"<\/span>:&#91;<span class=\"hljs-string\">\"http:\/\/www.example.com\/*\"<\/span>,<span class=\"hljs-string\">\"http:\/\/example.com\/*\"<\/span>]}\n      }\n    }\n  ]\n}<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-1\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JSON \/ JSON with Comments<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">json<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>You can further secure access to objects in the examplebucket bucket by adding explicit deny to the bucket policy as shown in the following example. Explicit deny supersedes any permission you might grant to objects in the examplebucket bucket using other means such as ACLs or user policies.<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-2\" data-shcb-language-name=\"JSON \/ JSON with Comments\" data-shcb-language-slug=\"json\"><span><code class=\"hljs language-json\">{\n   <span class=\"hljs-attr\">\"Version\"<\/span>: <span class=\"hljs-string\">\"2012-10-17\"<\/span>,\n   <span class=\"hljs-attr\">\"Id\"<\/span>: <span class=\"hljs-string\">\"http referer policy example\"<\/span>,\n   <span class=\"hljs-attr\">\"Statement\"<\/span>: &#91;\n     {\n       <span class=\"hljs-attr\">\"Sid\"<\/span>: <span class=\"hljs-string\">\"Allow get requests referred by www.example.com and example.com.\"<\/span>,\n       <span class=\"hljs-attr\">\"Effect\"<\/span>: <span class=\"hljs-string\">\"Allow\"<\/span>,\n       <span class=\"hljs-attr\">\"Principal\"<\/span>: <span class=\"hljs-string\">\"*\"<\/span>,\n       <span class=\"hljs-attr\">\"Action\"<\/span>: <span class=\"hljs-string\">\"s3:GetObject\"<\/span>,\n       <span class=\"hljs-attr\">\"Resource\"<\/span>: <span class=\"hljs-string\">\"arn:aws:s3:::examplebucket\/*\"<\/span>,\n       <span class=\"hljs-attr\">\"Condition\"<\/span>: {\n         <span class=\"hljs-attr\">\"StringLike\"<\/span>: {<span class=\"hljs-attr\">\"aws:Referer\"<\/span>: &#91;<span class=\"hljs-string\">\"http:\/\/www.example.com\/*\"<\/span>,<span class=\"hljs-string\">\"http:\/\/example.com\/*\"<\/span>]}\n       }\n     },\n      {\n        <span class=\"hljs-attr\">\"Sid\"<\/span>: <span class=\"hljs-string\">\"Explicit deny to ensure requests are allowed only from specific referer.\"<\/span>,\n        <span class=\"hljs-attr\">\"Effect\"<\/span>: <span class=\"hljs-string\">\"Deny\"<\/span>,\n        <span class=\"hljs-attr\">\"Principal\"<\/span>: <span class=\"hljs-string\">\"*\"<\/span>,\n        <span class=\"hljs-attr\">\"Action\"<\/span>: <span class=\"hljs-string\">\"s3:*\"<\/span>,\n        <span class=\"hljs-attr\">\"Resource\"<\/span>: <span class=\"hljs-string\">\"arn:aws:s3:::examplebucket\/*\"<\/span>,\n        <span class=\"hljs-attr\">\"Condition\"<\/span>: {\n          <span class=\"hljs-attr\">\"StringNotLike\"<\/span>: {<span class=\"hljs-attr\">\"aws:Referer\"<\/span>: &#91;<span class=\"hljs-string\">\"http:\/\/www.example.com\/*\"<\/span>,<span class=\"hljs-string\">\"http:\/\/example.com\/*\"<\/span>]}\n        }\n      }\n   ]\n}\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-2\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JSON \/ JSON with Comments<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">json<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-3\" data-shcb-language-name=\"JSON \/ JSON with Comments\" data-shcb-language-slug=\"json\"><span><code class=\"hljs language-json\">{\n  <span class=\"hljs-attr\">\"Id\"<\/span>: <span class=\"hljs-string\">\"Policy1560396001395\"<\/span>,\n  <span class=\"hljs-attr\">\"Version\"<\/span>: <span class=\"hljs-string\">\"2012-10-17\"<\/span>,\n  <span class=\"hljs-attr\">\"Statement\"<\/span>: &#91;\n    {\n      <span class=\"hljs-attr\">\"Sid\"<\/span>: <span class=\"hljs-string\">\"Stmt1560395998201\"<\/span>,\n      <span class=\"hljs-attr\">\"Action\"<\/span>: &#91;\n        <span class=\"hljs-string\">\"s3:GetObject\"<\/span>\n      ],\n      <span class=\"hljs-attr\">\"Effect\"<\/span>: <span class=\"hljs-string\">\"Allow\"<\/span>,\n      <span class=\"hljs-attr\">\"Resource\"<\/span>: <span class=\"hljs-string\">\"arn:aws:s3:::devops-t1\/*\"<\/span>,\n      <span class=\"hljs-attr\">\"Condition\"<\/span>: {\n        <span class=\"hljs-attr\">\"StringLike\"<\/span>: {\n          <span class=\"hljs-attr\">\"aws:Referer\"<\/span>: <span class=\"hljs-string\">\"https:\/\/www.devopsschool.com\/*\"<\/span>\n        }\n      },\n      <span class=\"hljs-attr\">\"Principal\"<\/span>: <span class=\"hljs-string\">\"*\"<\/span>\n    }\n  ]\n}\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-3\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JSON \/ JSON with Comments<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">json<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-4\" data-shcb-language-name=\"JSON \/ JSON with Comments\" data-shcb-language-slug=\"json\"><span><code class=\"hljs language-json\">{\n    <span class=\"hljs-attr\">\"Version\"<\/span>: <span class=\"hljs-string\">\"2008-10-17\"<\/span>,\n    <span class=\"hljs-attr\">\"Id\"<\/span>: <span class=\"hljs-string\">\"http referer policy example\"<\/span>,\n    <span class=\"hljs-attr\">\"Statement\"<\/span>: &#91;\n        {\n            <span class=\"hljs-attr\">\"Sid\"<\/span>: <span class=\"hljs-string\">\"Allow get requests originated from www.example.com and example.com\"<\/span>,\n            <span class=\"hljs-attr\">\"Effect\"<\/span>: <span class=\"hljs-string\">\"Allow\"<\/span>,\n            <span class=\"hljs-attr\">\"Principal\"<\/span>: {\n                <span class=\"hljs-attr\">\"AWS\"<\/span>: <span class=\"hljs-string\">\"*\"<\/span>\n            },\n            <span class=\"hljs-attr\">\"Action\"<\/span>: <span class=\"hljs-string\">\"s3:GetObject\"<\/span>,\n            <span class=\"hljs-attr\">\"Resource\"<\/span>: <span class=\"hljs-string\">\"arn:aws:s3:::devopsschoolmumbai\/*\"<\/span>,\n            <span class=\"hljs-attr\">\"Condition\"<\/span>: {\n                <span class=\"hljs-attr\">\"StringLike\"<\/span>: {\n                    <span class=\"hljs-attr\">\"aws:Referer\"<\/span>: &#91;\n                        <span class=\"hljs-string\">\"https:\/\/www.devopsschool.com\/*\"<\/span>,\n                        <span class=\"hljs-string\">\"https:\/\/devopsschool.com\/*\"<\/span>,\n                        <span class=\"hljs-string\">\"https:\/\/devopsschool.com*\"<\/span>,\n                        <span class=\"hljs-string\">\"https:\/\/devopsschool.com\"<\/span>\n                    ]\n                }\n            }\n        }\n    ]\n}\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-4\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JSON \/ JSON with Comments<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">json<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>","protected":false},"excerpt":{"rendered":"<p>You can restrict access based on the HTTP referrer. It&#8217;s not bulletproof (Referrer can be spoofed) but it will stop casual downloads. Suppose you have a website with domain name&#8230; <\/p>\n","protected":false},"author":1,"featured_media":7879,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[5633],"tags":[5558,5449,3120,5559,5512],"class_list":["post-6136","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aws","tag-amazons3","tag-devopsschool","tag-download","tag-photo","tag-videos"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/6136","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=6136"}],"version-history":[{"count":2,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/6136\/revisions"}],"predecessor-version":[{"id":6138,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/6136\/revisions\/6138"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media\/7879"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=6136"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=6136"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=6136"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}