Bucket strategies to limit the size of 20 KB.
Suppose you have a website, its domain name ( www.example.com
or example.com
), and with a link pointing to photos and videos stored in S3 buckets examplebucket
. By default, all S3 resources are private, so that only the AWS resources created an account in order to access them. To allow read access to these objects from your site, you can add a bucket policy allows s3:GetObject
permissions to use and comes with aws:Referer
the conditions of the bond, that acquisition request must come from a particular web page. The following policies with specified StringLike
conditions of bond aws:Referer
conditions.
{
"Version":"2012-10-17",
"Id":"http referer policy example",
"Statement":[
{
"Sid":"Allow get requests originating from www.example.com and example.com.",
"Effect":"Allow",
"Principal":"*",
"Action":"s3:GetObject",
"Resource":"arn:aws:s3:::examplebucket/*",
"Condition":{
"StringLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}
}
}
]
}
Make sure that you use the browser include the http in the request referer
header.
You can add an explicit refusal to bucket strategies to better protect examplebucket
access to the storage bucket objects, as in the following example. Explicitly refused to replace you use other methods (such as ACL or user policy) may have been granted examplebucket
any license objects in the bucket.
{
"Version": "2012-10-17",
"Id": "http referer policy example",
"Statement": [
{
"Sid": "Allow get requests referred by www.example.com and example.com.",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::examplebucket/*",
"Condition": {
"StringLike": {"aws:Referer": ["http://www.example.com/*","http://example.com/*"]}
}
},
{
"Sid": "Explicit deny to ensure requests are allowed only from specific referer.",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::examplebucket/*",
"Condition": {
"StringNotLike": {"aws:Referer": ["http://www.example.com/*","http://example.com/*"]}
}
}
]
}
Grant permission to Amazon CloudFront Origin Identity
The following examples, buckets policy granting access rights to all objects in Amazon S3 bucket (list) to CloudFront Origin Identity. CloudFront Origin Identity is used to enable the private content feature CloudFront. The strategy uses CanonicalUser prefix instead of AWS specification to specify the user ID. For more information about the content of private CloudFront provides support, see Amazon CloudFront Developer's Guide is to provide private content themes. You must identify the designated user ID to the original specifications access your CloudFront distribution. Find instructions concerning standardized user ID, please refer to the specified client in the policy .
{
"Version":"2012-10-17",
"Id":"PolicyForCloudFrontPrivateContent",
"Statement":[
{
"Sid":" Grant a CloudFront Origin Identity access to support private content",
"Effect":"Allow",
"Principal":{"CanonicalUser":"CloudFront Origin Identity Canonical User ID"},
"Action":"s3:GetObject",
"Resource":"arn:aws:s3:::examplebucket/*"
}
]
}