Preventing hotlinking on Amazon S3 with CloudFront

Question

I tried preventing hotlinking media files on Amazon S3 with this bucket policy.

{
"Version": "2008-10-17",
"Id": "my-id",
"Statement": [
    {
        "Sid": "Allow get requests to specific referrers",
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::bucketname/*",
        "Condition": {
            "StringLike": {
                "aws:Referer": "http://sitename.com/"
            }
        }
    },
    {
        "Sid": "Allow CloudFront get requests",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::amazonaccountid:root"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::bucketname/*"
    }
]
}

The ACL is set to private. I am still unable to get it to accept the files that I am trying to access.

I tried many different policies that I found here but none of them seem to have any effect. The files that I am trying to prevent from hotlinking are .swf files.

When I use the exact (bucketname.s3.amazonaws.com) link without the cloudfront, it works.

Answer 1

Here is the bucket policy I used that got it to work.

{
"Version": "2008-10-17",
"Id": "http referer policy",
"Statement": [
    {
        "Sid": "Allow get requests referred by www.mysite.com and mysite.com",
        "Effect": "Allow",
        "Principal": "*",
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::bucketname/*",
        "Condition": {
            "StringLike": {
                "aws:Referer": "http://www.mysite.com/*"
            }
        }
    }
]

}