TechQA.

S3 private bucket with Cloudfront access via Signed Url

46 views Asked by At

I have the following setup working:

  • Private S3 buckets with Cloudfront Distribution
  • User logs into portal and has access to files from S3 which are served through Cloudfront Signed Urls valid for a certain period of time.

Currently, it is possible that a user copies that Url via for example Google Debugger and share with others. I wonder if it is possible to further saveguard the files so they can only be opened via the portal domain. I was looking into bucket policies similar to

{
"Version": "2012-10-17",
"Statement": [
    {
        "Principal": "*",
        "Action": "s3:GetObject",
        "Resource": [
            "arn:aws:s3:::/*"
        ],
        "Effect": "Allow",
        "Condition": {
            "StringLike": {
                "aws:Referer": [
                    "http://www.example.com/*",
                    "http://example.com/*"
                ]
            }
        }
    }
]

}

While it works sometimes, it does not all the time. If I request 5 files it would work for 1 and not for 4. I wonder if this has something to do with Cloudfront on top of S3?

Has anyone of you a suggestion how to go about?

Thanks, Moz

amazon-web-services amazon-s3 amazon-cloudfront pre-signed-url
Original Q&A
2

There are 2 answers

0
John Rotenstein On

Using aws:Referer is generally a bad idea. It can be easily faked.

See: Referer spoofing - Wikipedia

If you are worried about a pre-signed URL being shared, then reduce the expiry period on the pre-signed URL.

0
0xAPPA On

Sounds like you should go for Signed Cookies instead of Signed Urls.

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-S3

Related Questions in AMAZON-CLOUDFRONT

Related Questions in PRE-SIGNED-URL

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions