I have put the following bucket policy in effect for the product downloads bucket on my website. It works perfectly for http traffic. However this policy also prevents me from downloading directly from the S3 console, or from 3rd party S3 clients like S3Hub.
How can I add to or change this policy to be able to interact with my files "normally" as a logged-in owner, but still restrict http traffic as below?
{
"Version": "2012-10-17",
"Id": "http referer policy example",
"Statement": [
{
"Sid": "Explicit deny to ensure requests are allowed only from specific referer.",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::downloads.example.net/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"https://example16.herokuapp.com/*",
"http://localhost*",
"https://www.example.net/*",
"http://stage.example.net/*",
"https://stage.example.net/*",
"http://www.example.net/*"
]
}
}
}
]
}
Remove:
"Principal": "*",
Replace with:
"NotPrincipal": { "AWS": "Your-AWS-account-ID" },
The policy should then apply only to requests that are not authorized by credentials associated with your account.
Note that because of the security implications of its logic inversion, NotPrincipal should only ever be used with Deny policies, not Allow policies, with few exceptions.