I'm setting up a policy for an AWS S3 bucket to restrict access to content based on the referring domain. My goal is to allow access only if the request comes from a specific domain, as part of a paid content reading service I'm offering. I'm using the StringLike condition with aws:Referer for this purpose. However, I'm encountering an error stating "Policy has invalid resource"and "action does not apply". Here's the policy I've written:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:us-east-2:798452194891:accesspoint/vercelwzk/*",
"arn:aws:s3:us-east-2:798452194891:accesspoint/vercelwzk"
],
"Condition": {
"StringLike": {
"aws:Referer": "https://yourdomain.com/*"
}
}
}
]
}
I have a couple of questions:
Is the ARN format in the policy correct, especially for specifying the S3 access point and bucket contents?
I noticed that in the latest AWS documentation, there doesn't seem to be a StringLike field under Condition. Is this still a valid method to restrict access based on the referring domain, or is there a newer, more recommended approach?
Additionally, I'm running a paid content reading website where I need to provide downloadable PDFs stored in S3. Is the domain restriction method the best approach for my use case? My website is hosted on Vercel, and I do not have a stable IP address to rely on for IP-based restrictions. Are there any other common methods I should consider for securely delivering content from S3?
Any insights or guidance on how to correctly format this policy would be greatly appreciated.