Blog Articles
Read MSP360’s latest news and expert articles about MSP business and technology
CloudBerry Explorer featured image

How to Avert Hotlinking of Images Hosted on Amazon S3

How to Avert Hotlinking of Images Hosted on Amazon S3

Bucket Policy is a feature of Amazon S3 that allows customers to author policies which either grant or deny access to any number of accounts and across a range or set of keys. In our previous blog post, we explained how you can leverage MSP360 Explorer for managing Bucket Policies. In this blog post, we would like to discuss a single option that makes Bucket Policy a very powerful tool to protect your media content hosted on Amazon S3. Bucket policy allows you to restrict which website can link your content effectively preventing hotlinking.

Note: this post applies to MSP360 Explorer 2.2 and later.

This is important not only because you might want to protect your copyright, but also because hotlinking may cause excessive Amazon S3 transfer fee. Remember, you have to pay each time someone downloads an image.
Let’s see how you can leverage Bucket Policy to prevent hotlinking. Say you have a bucket called mybucket where you keep your public images (or any other media content for that matter)
Then you have a website: msp360.com
Our goal is to configure the bucket in such a way that no other website can link our images.
1. make sure you don’t have ACL Public Read on any files in mybucket bucket.
2. on the mybucket bucket set up a Policy that will allow all user to read the files in the bucket provided that a request is coming from msp360.com
Here is an example of the policy that will enforce the rule above. You can simply copy it to the policy editor in MSP360 S3 Explorer PRO modifying the Resource and Aws:Referer clauses.

{
"Version":"2008-10-17",
"Id":"HTTP referer policy example",
"Statement":[
{
"Sid":"Allow get requests referred by www.msp360.com, msp360.com and IP address",
"Effect":"Allow",
"Principal": {"AWS": "*"},
"Action":"s3:GetObject",
"Resource":"arn:aws:s3:::mybucket/*",
"Condition":{
"StringLike":{
"aws:Referer":[
"https://www.msp360.com/*",
"http://msp360.com/*", "http://74.208.197.105/*"
]
}
}
}
]
}

The most important element here is the aws:Referer clause
In aws:Referer clause you have to specify all domain names and IP addresses the website is available from. In many cases, you will need only to specify just one domain name.
As always we would be happy to hear your feedback and you are welcome to post a comment.