Search code examples
amazon-s3railo

S3 Bucket Policy for hotlinking is preventing writes


I have a website that serves our content from Amazon S3. Currently, I am able to read and write data to S3 just fine from my web server / website. The ACL permission are fine - I have full permissions for the website, and simply read permissions for the public.

Then, I added an S3 Bucket Policy to prevent hotlinking. You can see the S3 policy below.

This policy works well - except for one issue - it is now preventing file write requests from my webserver. So, while my public website serves content just fine, when I try to do file or directory operations, such as upload images or move images (or directories), I get an "Access denied" error now. (by my web application server, which is Railo / Coldfusion)

I'm not sure why this is happening? Initially I thought that it might be because the file read/write requests between my web server and S3 were coming via my IP and not my domain name.But even after adding my IP, the errors persist.

If I remove the policy, everything works fine again.

Does anyone know what is causing this or what I'm missing here? Thanks

       {
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "Allowinmydomains",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::cdn.babeswithbraces.com/*",
      "Condition": {
        "StringLike": {
          "aws:Referer": [
            "http://www.babeswithbraces.com/*",
            "http://babeswithbraces.com/*",
            "http://64.244.61.40/*"
          ]
        }
      }
    },
    {
      "Sid": "Givenotaccessifrefererisnomysites",
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::cdn.babeswithbraces.com/*",
      "Condition": {
        "StringNotLike": {
          "aws:Referer": [
            "http://www.babeswithbraces.com/*",
            "http://babeswithbraces.com/*",
            "http://64.244.61.40/*"
          ]
        }
      }
    }
  ]
}

Solution

  • When you use bucket policies, a deny always overrides a grant. Because you are denying access to GetObject from your bucket policy for all accounts (including authenticated users) that don't match your specific referrers list, your app produces Access denied errors.

    By default, objects in S3 have their ACLs set to private. If this is the case with your bucket, then there is no need to have an Allow and a Deny rule in your bucket policy. It would be enough to have an Allow condition that grants anonymous users, which match some specific referrers, the permission to access objects in the bucket.

    In the case mentioned above, your bucket policy should look like:

    {
      "Id": "Policy1380565362112",
      "Statement": [
        {
          "Sid": "Stmt1380565360133",
          "Action": [
            "s3:GetObject"
          ],
          "Effect": "Allow",
          "Resource": "arn:aws:s3:::cdn.babeswithbraces.com/*",
          "Condition": {
            "StringLike": {
              "aws:Referer": [
                "http://www.babeswithbraces.com/*",
                "http://babeswithbraces.com/*",
                "http://64.244.61.40/*"
              ]
            }
          },
          "Principal": {
            "AWS": [
              "*"
            ]
          }
        }
      ]
    }
    

    If the object ACLs already allow public access you can either remove those ACLs to make the objects private by default or include a Deny rule in your bucket policy and modify the requests you send to S3 from your app to include the expected referrer header. There is currently no way to have a Deny rule in your bucket policy that only affects anonymous requests.