You can create a policy to restrict object access based on HTTP headers. A use case would be if you own a website for which images and videos for the site are stored in a Wasabi bucket.
Also refer to Bucket Access Restriction Based on a Resource Policy and Bucket Access Restriction Based on an Identity Policy.
You can make your Wasabi bucket public, but only to users who are requesting objects from a specific website, or when specific HTTP headers are present in the request. To do so, you add a string requirement to the bucket policy specifying which HTTP headers must be present. The following bucket policy makes use of the Allow effect to grant public access for this bucket when requests come from the site example.com.
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AllowRequestHTTPHeader",
"Effect":"Allow",
"Principal":"*",
"Action":["s3:GetObject","s3:GetObjectVersion"],
"Resource":"arn:aws:s3:::wasabibucket1/*",
"Condition":{
"StringLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}
}
}
]
}The web browser must pass along the HTTP header request for this policy to function properly.
This policy does not restrict any access to the bucket, but instead only grants access. To prevent any GET access to the bucket UNLESS it contains a specific HTTP header, you need to create a DENY policy with a StringNotLike condition. For example:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AllowOnlyRequestsHTTPHeader",
"Effect":"Deny",
"Principal":"*",
"Action":["s3:GetObject","s3:GetObjectVersion"],
"Resource":"arn:aws:s3:::wasabibucket1/*",
"Condition":{
"StringNotLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}
}
}
]
}