I'm setting a public S3-based website and I want to deny direct access to my s3 bucket for the users beyond my CloudFront distribution. At the same time I want to be able to directly access s3 content by myself (admin). Also I would like to allow CodeBuild Service to Access the same bucket.
Amazon suggests to "add a bucket policy that allows s3:GetObject permission with a condition, using the aws:referer key, that the get request must originate from specific webpages.":
But if I add an Explicit Deny part:
{
"Sid": "Explicit deny to ensure requests are allowed only from specific referer.",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::examplebucket/*",
"Condition": {
"StringNotLike": {"aws:Referer": ["http://www.example.com/*","http://example.com/*"]}
}
I'm loosing the opportunity for myself to upload files directly to the s3 bucket, also CodeBuild Service will not be able to do anything with my bucket as well.
How can I implement Conditions in my bucket policy in oder to deny access:
ONLY IF
("StringNotLike": {"aws:Referer": "https://www.example.com"})
OR
("StringNotLike": {"aws:userid": "my root user id"})
OR
(my bucket is not requested by CodeBuild Service)