Amazon S3 - Restrict Access by referer

Question

I have a bucket policy for restricting access of files with "--original" in the filename, but it only works if you put in the URL directly into the browser. If you click "open image in new tab" then it shows up just fine (I assume because the http referer is indeed from that site). I need to give access to the website to show the image, but if in a new tab or trying to download, it doesn't get access. Do I need to put some sort of redirect in?

Here's my bucket policy:

{
    "Version": "2012-10-17",
    "Id": "Deny file access",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": "arn:aws:s3:::examplebucket/*--original*",
            "Condition": {
                "StringNotLike": {
                    "aws:Referer": [
                        "https://examplebucket.com*",
                        "https://examplebucket.dev*"
                    ]
                }
            }
        }
    ]
}

Is there a reason why you want to restrict user's ability to open image in a new tab? — jellycsc

John Rotenstein John Rotenstein · Accepted Answer · 2020-09-29T22:38:51

Controlling access via referer is not very secure. It can easily be spoofed. Do not use it to protect confidential information.

Instead, your application should generate an Amazon S3 pre-signed URLs, which provides time-limited access to a private object.

Amazon S3 - Restrict Access by referer

2 Answers