AWS S3 only allow an image from the bucket to be shown on specific IP address

Question

I've been doing some work with the AWS PHP SDK and I have been able to upload objects to a bucket, the basics.

My main aim for using this storage is to use it to bundle together a group of related files, one of them being a thumbnail image, and these groups of files been shown in a grid in a member area of a site.

I don't want the S3 URLS to be public, but I do want the files to be viewed/download when they are on my servers IP address.

I've tried using the policy generator and I'm not sure if this is the right way to do what I'm trying to achieve?

Should I be using the S3 URL for the thumbnail to display in the backend? Or should I use the GetObject function of the SDK?

Any little bit of help would be greatly appreciated as I'm currently not sure which direction I should be going in.

Thanks, Kane

Answer 1

You can use the bucket policy to allow access only from specific IPs as shown on this example :

{
  "Version": "2012-10-17",
  "Id": "S3PolicyId1",
  "Statement": [
    {
      "Sid": "IPAllow",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::examplebucket/*",
      "Condition": {
         "IpAddress": {"aws:SourceIp": "54.240.143.0/24"}
      } 
    } 
  ]
}

Make sure you specify your server's public IP with which it will be accessing S3. In the example above 54.240.143.0/24 is a CIDR block rather than an IP address. In case you want to filter a specific IP (like 53.22.121.12) add /32 mask, like this: 53.22.121.12/32

Personally I prefer to edit the bucket policy as JSON in permissions UI, but you can use the policy generator too.

I suggest you use the GetObject to retrieve the content from S3 to the app. In this case you can keep the S3 bucket open only to your app servers rather than to the public.