amazon S3 bucket policy - restricting access by referer BUT not restricting if urls are generated via query string authentication

Question

I have the following bucket policy set on my bucket:

{

\"Version\": \"2008-10-17\",

\"Id\": \"My access policy\",

\"Statement\": [

     {

 \"Sid\": \"A         


        

Answer 1

Remove the space in the referrers string " http://mydomain.com/*" that's wrong... the Amazon examples made that mistake too.

For the second statement the easier way to solve it is to remove that entire statement and have your files permissions (ACLs) set to private (Owner-Read/Write and World-NoRead/NoWrite)

I am not sure, but in appears that even if you have a Deny Statement a file can still be read if it has a public permission (World Read).

Also, if you are distributing the files on CloudFront remember to allow it to read the bucket too. So a complete bucket policy will look like:

{
"Version": "2008-10-17",
"Id": "YourNetwork",
"Statement": [
    {
        "Sid": "Allow get requests to specific referrers",
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::yourbucket/*",
        "Condition": {
            "StringLike": {
                "aws:Referer": [
                    "http://www.yourwebsite.com/*",
                    "http://yourwebsite.com/*"
                ]
            }
        }
    },
    {
        "Sid": "Allow CloudFront get requests",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::12345678:root"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::yourbucket/*"
    }
]
}

(change the 12345678 to your AWS account ID number without the dashes)