Restrict downloading profile picture form S3 bucket through Cloud Front

Question

I have a CloudFront Distribution and a S3 bucket , I have allowed s3:GetObject from the CloudFront OAI , So that I can use those in my websites. I am also storing profile pictures of the user in S3 Bucket . Now using my cloudfront if anyone knows my bucket name , they will be able to download the profile picture right.

If am editing the bucket policy no deny the folder containing the profile picture , it wont show up in the website . How to solve this issue?

The profile picture should be got from the S3 bucket, but the folder should be accessed using the S3 bucket

Answer

You can limit access to the file only from your website by adding a condition to your S3 bucket policy which would filter against the `referer` header in the request. This would allow you to limit your files being access only by a specific domain or subdomains. See here for a sample policy - https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-use-case-4

You can also use signed URLs/cookies to further restrict access based on client and time - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-choosing-signed-urls-cookies.html

However, you can't really prevent downloads as such. If your users can see your image in their browser, that basically means the image has already been transferred to their device. There are ways to capture and save the image from there (such as developer tools on the browser)  regardless of any limitations you try to impose.

Restrict downloading profile picture form S3 bucket through Cloud Front

Conteúdo relevante