Amazon AWS S3 Allowed List Domain Name

Amazon S3 (Simple Storage Service) is a highly scalable and durable object storage service provided by Amazon Web Services (AWS). One of the important security and access - control features in S3 is the ability to define an allowed list of domain names. This feature helps in restricting access to your S3 buckets based on the domain from which the requests originate. By setting up an allowed list of domain names, you can enhance the security of your S3 resources and ensure that only requests from trusted domains can access your data.

Table of Contents#

  1. Core Concepts
  2. Typical Usage Scenarios
  3. Common Practices
  4. Best Practices
  5. Conclusion
  6. FAQ
  7. References

Article#

Core Concepts#

  • Cross - Origin Resource Sharing (CORS): CORS is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. In the context of S3, CORS policies can be used to specify which domains are allowed to make cross - origin requests to your S3 buckets. For example, if you have a static website hosted on S3 and you want to allow requests from a specific domain (e.g., example.com), you can configure a CORS policy to allow requests from that domain.
  • Bucket Policies: Bucket policies are JSON - based access policies that you can attach to an S3 bucket. You can use bucket policies to restrict access to your bucket based on the aws:Referer condition. The aws:Referer condition allows you to specify which domain names are allowed to access your bucket. For instance, you can set a bucket policy that only allows requests with a Referer header containing a specific domain name.

Typical Usage Scenarios#

  • Static Website Hosting: When you host a static website on S3, you may want to restrict access to the website's resources to specific domains. For example, if your website is intended for internal use within your company, you can set up an allowed list of domain names so that only requests from your company's domain can access the website.
  • API Integration: If you are using S3 as a storage backend for an API, you can restrict access to the S3 resources used by the API to specific domains. This helps in preventing unauthorized access to your data through the API. For example, if your API is consumed by a mobile app with a specific domain associated with it, you can ensure that only requests from that domain can access the relevant S3 resources.

Common Practices#

  • CORS Configuration:
    • First, log in to the AWS Management Console and navigate to the S3 service.
    • Select the bucket for which you want to configure CORS.
    • In the bucket properties, find the CORS configuration section.
    • Here, you can define rules that specify the allowed origins (domain names). For example, the following is a simple CORS configuration that allows requests from example.com:
<CORSConfiguration>
    <CORSRule>
        <AllowedOrigin>https://example.com</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
</CORSConfiguration>
  • Bucket Policy Configuration:
    • Create a JSON - based bucket policy. The following is an example of a bucket policy that restricts access to requests with a Referer header containing example.com:
{
    "Version": "2012 - 10 - 17",
    "Statement": [
        {
            "Sid": "RestrictAccessToSpecificDomain",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::your - bucket - name/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": "https://example.com/*"
                }
            }
        }
    ]
}
- Then, apply this policy to your S3 bucket through the AWS Management Console or the AWS CLI.

Best Practices#

  • Regular Review: Regularly review your allowed list of domain names. As your business evolves, new domains may need to be added or removed from the list. For example, if you acquire a new subsidiary with its own domain, you may need to add that domain to the allowed list.
  • Testing: Before deploying any changes to your CORS or bucket policies, thoroughly test them in a staging environment. This helps in identifying any potential issues or access restrictions that may affect your applications or services.
  • Use of Multiple Security Layers: Don't rely solely on the allowed list of domain names for security. Combine it with other security measures such as IAM (Identity and Access Management) policies, encryption, and network access controls to provide a more comprehensive security posture.

Conclusion#

The ability to define an allowed list of domain names in Amazon AWS S3 is a powerful security feature that can help you protect your S3 resources from unauthorized access. By understanding the core concepts, typical usage scenarios, common practices, and best practices, software engineers can effectively implement this feature to enhance the security of their applications and data stored in S3.

FAQ#

  1. Can I use wildcards in the allowed domain names?
    • Yes, you can use wildcards in both CORS and bucket policy configurations. In CORS, you can use a wildcard like https://*.example.com to allow requests from all sub - domains of example.com. In bucket policies, you can use wildcards in the aws:Referer condition as well.
  2. What if a request does not have a Referer header?
    • If a request does not have a Referer header, it may not match the bucket policy conditions based on the aws:Referer condition. You may need to adjust your bucket policy to handle such cases, for example, by allowing requests without a Referer header under certain circumstances.
  3. How do I troubleshoot access issues related to the allowed list of domain names?
    • Check the AWS CloudTrail logs for access events. You can also review the CORS and bucket policy configurations to ensure they are correct. Additionally, use browser developer tools to check for CORS - related errors in case of web - based access.

References#

2025-10