All geek questions in one place

Amazon s3 video files available only from my domain / server?

Now I know that I can not prevent someone from downloading my videos and sharing them, but I would prefer it to be so that people do not copy the paste links directly into my bucket. So is there a way to make my bucket available only from my server / domain making the request?

If this helps, I use jwplayer, which is loaded from an xml playlist that has all the links. This playlist can definitely be opened and viewed from anywhere, and I expect it to be easy to copy and paste from.

I do not want to mask URLs because it means my bucket is accessible to everyone. There is probably a chance that someone will find the URL of my bucket, the file name and put everything together ...

+6
source share
4 answers

This is possible thanks to the use of Bucket policies , which allows you to determine access rights for Amazon S3 resources - there are a couple of Examples of examples for Amazon S3 business strategies that illustrate functionality, and among them you will find an example of restricting access to certain IP addresses:

This statement grants permissions to any user to perform any S3 action on objects in the specified bucket. However, the request should come from the range of IP addresses specified in the condition.

Depending on the specifics of your use case, the bucket policy for this may look like this:

{ "Version": "2008-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "s3:*", "Resource": "arn:aws:s3:::bucket/*", "Condition" : { "IpAddress" : { "aws:SourceIp": "192.168.143.0/24" }, "NotIpAddress" : { "aws:SourceIp": "192.168.143.188/32" } } } ] }

As shown, the aws:sourceIp for the IPAddress and NotIpAddress is expressed in CIDR notation , which allows for flexibility in compiling the desired volume.

Finally, you might want to check out the recommended AWS Policy Generator , select the S3 Bucket Policy type and examine the available actions and conditions for creating more targeted policies for your use case in the end - the documentation for the Condition explains this in detail.

+7
source

An IP address will help if your server accesses your bucket. But JWPlayer on the client side. Thus, the request is directly transmitted from jwplayer (browser) to the s3 bucket url, and not through your server. In this case, the "link basket policy" will help you.

 { "Version": "2008-10-17", "Statement": [ { "Sid": "1", "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::yourbucketname/*", "Condition": { "StringNotLike": { "aws:Referer": [ "http://yoursitename.com/*", "http://*.yoursitename.com/*" ] } } } ] }

So, now s3 will allow if this request comes only from your site.

+6
source

You can have your bucket protected, which is the way it is by default. (which means that you only have access to objects). Then you can request files from Amazon S3 from your site and provide it with a time limit for the user to see it.

 //set time so that users can see file for 1 minute. then it is protected again. $response = $s3->get_object_url(YOUR_A3_BUCKET, PATH/TO/FILE, '1 minutes');

This will automatically give you a URL with the parameters associated with it, which is only available for 1 minute. You can use this as your source on your website, and then you could not copy and paste it into your browser after 1 minute.

Learn more about this in the Amazon SDK for PHP.

+1
source

Restricting access to a specific HTTP referrer

Suppose you have a website with a domain name (www.example.com or example.com) with links to photos and videos stored in your Amazon S3 bucket, examplebucket. By default, all Amazon S3 resources are private, so only the AWS account that created the resources can access them. To allow read access to these objects from your site, you can add a bucket policy that allows s3: GetObject permission with the condition, using the aws: referer key, that the request for receipt must come from certain web pages. The following policy defines a StringLike condition with the aws key: Referer.

http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

0
source

Source: https://habr.com/ru/post/910461/

More articles:


All Articles