S3 private bucket with Cloudfront access via Signed Url

46 Views Asked by Mozzak At 14 March 2024 at 21:06

I have the following setup working:

Private S3 buckets with Cloudfront Distribution
User logs into portal and has access to files from S3 which are served through Cloudfront Signed Urls valid for a certain period of time.

Currently, it is possible that a user copies that Url via for example Google Debugger and share with others. I wonder if it is possible to further saveguard the files so they can only be opened via the portal domain. I was looking into bucket policies similar to

{
"Version": "2012-10-17",
"Statement": [
    {
        "Principal": "*",
        "Action": "s3:GetObject",
        "Resource": [
            "arn:aws:s3:::/*"
        ],
        "Effect": "Allow",
        "Condition": {
            "StringLike": {
                "aws:Referer": [
                    "http://www.example.com/*",
                    "http://example.com/*"
                ]
            }
        }
    }
]

}

While it works sometimes, it does not all the time. If I request 5 files it would work for 1 and not for 4. I wonder if this has something to do with Cloudfront on top of S3?

Has anyone of you a suggestion how to go about?

Thanks, Moz

Original Q&A

There are 2 best solutions below

John Rotenstein On 14 March 2024 at 21:21

Using aws:Referer is generally a bad idea. It can be easily faked.

See: Referer spoofing - Wikipedia

If you are worried about a pre-signed URL being shared, then reduce the expiry period on the pre-signed URL.

0xAPPA On 25 March 2024 at 17:26

Sounds like you should go for Signed Cookies instead of Signed Urls.

S3 private bucket with Cloudfront access via Signed Url

There are 2 best solutions below

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-S3

Related Questions in AMAZON-CLOUDFRONT

Related Questions in PRE-SIGNED-URL

Trending Questions

Popular # Hahtags

Popular Questions