Deny access to user agent to access a bucket in AWS S3

Question

In my S3 logs I see multiple requests from NSPlayer and all the requests are like below:

[29/Feb/2016:23:07:27 +0000] 188.71.221.62 - 07231C9924A44C67 R

Answer 1

This is the reply I got from Amazon:

You almost have the correct policy on the bucket to block access from that user agent. The tricky part is that you're allowing access to the individual objects via public-read ACLs, so you can't use an restrictive "Allow" statement on the bucket. You'll need to explicitly deny that user agent from performing GET requests.

Example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::bucket/*",
      "Condition": {
        "StringLike": {
          "aws:UserAgent": "*NSPlayer*"
        }
      }
    }
  ]
}

The above policy will block any access to the bucket from anywhere, if NSPlayer is in the UserAgent string.

Also as FYI, Bucket Policy takes precedence over the User policy.