By default, anonymous accounts and users are restricted from accessing S3 – unless they are given access through S3’s bucket policy. In this tutorial, we’ll show you how to grant and deny access to S3 content for specific users.

Allow Access to Anonymous Users

S3’s bucket policy can be modified to allow anyone access to object data. For instance, if you are using your bucket as a website, this policy will make bucket objects (your content) viewable to web users.

To grant access to anonymous users, or the general public, add this permission to your “Add bucket policy” field:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AddPerm",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::examplebucket/*"]
    }
  ]
}
Important
Replace examplebucket with the name of your bucket.

Here’s what the HTTP response looks like when requesting the file without the permission:

curl -I https://s3.eu-central-1.amazonaws.com/s3-foo-bar/maxcdn/binbash.sh-600x600.png
HTTP/1.1 403 Forbidden
x-amz-request-id: CD9E286899328822
x-amz-id-2: Zhp4oKMJOJmiZvcSns9JeivC2ytQXckNIm21DhPpPjD7Tn64FlseTRp78fILBNeMu04O9qs/VuQ=
Content-Type: application/xml
Transfer-Encoding: chunked
Date: Wed, 11 Nov 2015 09:47:10 GMT
Server: AmazonS3

And here’s what the HTTP response looks like when requesting the file with the permission:

curl -I https://s3.eu-central-1.amazonaws.com/s3-foo-bar/maxcdn/binbash.sh-600x600.png
HTTP/1.1 200 OK
x-amz-id-2: GNTMaDwnAQ8tcVoUGKkY5BryNepVFt6m4+Yg44CCKxxUmyfI5w9LX4l28BY7OC8gC3P4MW0Zfnw=
x-amz-request-id: 125E00EC96C1CC69
Date: Wed, 11 Nov 2015 09:52:27 GMT
Last-Modified: Wed, 11 Nov 2015 09:44:53 GMT
ETag: "6263b0a06d9ccc412e513f8d6651c80b"
Accept-Ranges: bytes
Content-Type: image/png
Content-Length: 12497
Server: AmazonS3

Restrict and Allow Access to Specific HTTP Referers

Access can be restricted based on a variety of factors, including the referer header of the HTTP request that the web browser sends when downloading the object. If the object is downloaded from a web page, the referer is going to be the URL of that web page.

Below is an example of how to set www.domain.com and domain.com as valid referers.

Add the following policy in your “Add bucket policy” field:

{
	"Version": "2012-10-17",
	"Id": "http referer policy example",
	"Statement": [
		{
			"Sid": "Allow get requests originating from www.domain.com and domain.com.",
			"Effect": "Allow",
			"Principal": "*",
			"Action": "s3:GetObject",
			"Resource": "arn:aws:s3:::s3-foo-bar/maxcdn/*",
			"Condition": {
				"StringLike": {
					"aws:Referer": [
						"http://www.domain.com/*",
						"http://domain.com/*"
					]
				}
			}
		}

Here’s what the HTTP response looks like when requesting the file with an unlisted referer:

curl -I https://s3.eu-central-1.amazonaws.com/s3-foo-bar/maxcdn/binbash.sh-600x600.png --referer www.otherdomain.com
HTTP/1.1 403 Forbidden
x-amz-request-id: 2625C9E3A97414DA
x-amz-id-2: +/4Lk1k/W8snylRP84yAIwRDyEZ2cpYR61tpUafCVWJsTNmrolwhmUIVCw+flGL3uqKFFbWV5Kw=
Content-Type: application/xml
Transfer-Encoding: chunked
Date: Wed, 11 Nov 2015 10:15:33 GMT
Server: AmazonS3

And here’s what the HTTP response looks like when requesting the file with the right referer:

curl -I https://s3.eu-central-1.amazonaws.com/s3-foo-bar/maxcdn/binbash.sh-600x600.png --referer "http://www.domain.com"
HTTP/1.1 200 OK
x-amz-id-2: GNTMaDwnAQ8tcVoUGKkY5BryNepVFt6m4+Yg44CCKxxUmyfI5w9LX4l28BY7OC8gC3P4MW0Zfnw=
x-amz-request-id: 125E00EC96C1CC69
Date: Wed, 11 Nov 2015 10:12:27 GMT
Last-Modified: Wed, 11 Nov 2015 09:44:53 GMT
ETag: "6263b0a06d9ccc412e513f8d6651c80b"
Accept-Ranges: bytes
Content-Type: image/png
Content-Length: 12497
Server: AmazonS3

Restrict and Allow Access to Specific IP Addresses

Within the bucket policy, you can also grant permission to any user to perform any Amazon S3 operations on objects in the specified bucket. Within the conditions block, you have: IpAddress and NotIpAddress.

These conditions let you allow or restrict specific IPs. The IPs can also be in subnet forms. The example below allows access from subnet 178.148.109.0/24 – with the exception of 178.148.109.222.

{
	"Version": "2012-10-17",
	"Id": "S3PolicyId1",
	"Statement": [
		{
			"Sid": "IPAllow",
			"Effect": "Allow",
			"Principal": "*",
			"Action": "s3:*",
			"Resource": "arn:aws:s3:::s3-foo-bar/*",
			"Condition": {
				"IpAddress": {
					"aws:SourceIp": "178.148.109.0/24"
				},
				"NotIpAddress": {
					"aws:SourceIp": "178.148.109.222"
				}
			}
		}
	]
}

This policy can also be used to allow access to MaxCDN IPs only. Here is how you can do that:

{
  "Version": "2012-10-17",
  "Id": "S3PolicyId1",
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::examplebucket/*",
      "Condition": {
         "IpAddress": {"aws:SourceIp": [
"108.161.176.0/20"
"94.46.144.0/20"
"146.88.128.0/20"
"198.232.124.0/22"
"23.111.8.0/22"
"217.22.28.0/22"
"64.125.76.64/27"
"64.125.76.96/27"
"64.125.78.96/27"
"64.125.78.192/27"
"64.125.78.224/27"
"64.125.102.32/27"
"64.125.102.64/27"
"64.125.102.96/27"
"94.31.27.64/27"
"94.31.33.128/27"
"94.31.33.160/27"
"94.31.33.192/27"
"94.31.56.160/27"
"177.54.148.0/24"
"185.18.207.65/26"
"50.31.249.224/27"
"50.31.251.32/28"
"119.81.42.192/27"
"119.81.104.96/28"
"119.81.67.8/29"
"119.81.0.104/30"
"119.81.1.144/30"
"27.50.77.226/32"
"27.50.79.130/32"
"119.81.131.130/32"
"119.81.131.131/32"
"216.12.211.59/32"
"216.12.211.60/32"
"37.58.110.67/32"
"37.58.110.68/32"
"158.85.206.228/32"
"158.85.206.231/32"
"174.36.204.195/32"
"174.36.204.196/32"