Amazon AWS S3 Uploading Allowed List of Domains

Amazon Web Services (AWS) Simple Storage Service (S3) is a highly scalable, reliable, and cost - effective object storage service. When it comes to security and controlling access to S3 buckets for uploading, one important aspect is specifying an allowed list of domains. This feature allows you to restrict which domains can initiate uploads to your S3 bucket, adding an extra layer of security and preventing unauthorized uploads from malicious or untrusted sources. In this blog post, we will explore the core concepts, typical usage scenarios, common practices, and best practices related to the Amazon AWS S3 uploading allowed list of domains.

Table of Contents#

  1. Core Concepts
  2. Typical Usage Scenarios
  3. Common Practices
  4. Best Practices
  5. Conclusion
  6. FAQ
  7. References

Article#

Core Concepts#

  • Cross - Origin Resource Sharing (CORS): CORS is a mechanism that allows web applications running on one domain to access resources (such as S3 buckets) on another domain. When you set an allowed list of domains for S3 uploading, you are essentially configuring CORS rules. CORS uses HTTP headers to indicate which origins are permitted to access the resources. For example, the Access - Control - Allow - Origin header specifies the domains that are allowed to make requests to the S3 bucket.
  • Bucket Policy: A bucket policy is a JSON - based access policy that you can attach to an S3 bucket. It can be used in conjunction with the allowed list of domains to further restrict access. You can define conditions in the bucket policy based on the source IP address, user agent, or other factors, in addition to the domain from which the request is coming.

Typical Usage Scenarios#

  • Web Application Integration: If you have a web application that allows users to upload files to an S3 bucket, you can restrict the uploads to only come from the domain where your application is hosted. For example, if your web application is hosted at https://example.com, you can configure the S3 bucket to only accept upload requests from this domain. This helps prevent other websites from abusing your S3 bucket for unauthorized uploads.
  • Third - Party Integration: When integrating with third - party services that need to upload files to your S3 bucket, you can specify the allowed domains of these third - party services. This ensures that only the trusted third - party services can upload files to your bucket, reducing the risk of data leakage or malicious uploads.

Common Practices#

  • CORS Configuration:
    • Log in to the AWS Management Console and navigate to the S3 service.
    • Select the bucket for which you want to configure the allowed list of domains.
    • Go to the “Permissions” tab and click on “CORS configuration”.
    • In the CORS configuration editor, you can add rules. For example, to allow a single domain https://example.com to make upload requests, you can use the following CORS rule:
<?xml version="1.0" encoding="UTF - 8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006 - 03 - 01/">
    <CORSRule>
        <AllowedOrigin>https://example.com</AllowedOrigin>
        <AllowedMethod>POST</AllowedMethod>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
</CORSConfiguration>
  • Bucket Policy Configuration: You can also use a bucket policy to restrict access based on the domain. Here is an example of a bucket policy that allows only requests from https://example.com to upload objects:
{
    "Version": "2012 - 10 - 17",
    "Statement": [
        {
            "Sid": "RestrictUploadsToSpecificDomain",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::your - bucket - name/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": "https://example.com/*"
                }
            }
        }
    ]
}

Best Practices#

  • Regularly Review and Update: The list of allowed domains should be regularly reviewed and updated. If your web application changes its domain or you stop using a third - party service, you should remove the corresponding domain from the allowed list to maintain security.
  • Use HTTPS: Always use HTTPS for the allowed domains. This ensures that the communication between the client and the S3 bucket is encrypted, protecting the data during transit.
  • Test Configuration: Before deploying the CORS and bucket policy changes to a production environment, thoroughly test them in a staging environment. This helps identify and fix any issues with the configuration, such as incorrect domain names or misconfigured rules.

Conclusion#

Configuring an allowed list of domains for Amazon AWS S3 uploading is an important security measure that helps protect your S3 buckets from unauthorized access and uploads. By understanding the core concepts, using them in typical usage scenarios, following common practices, and adhering to best practices, software engineers can ensure that their S3 buckets are secure and that only trusted sources can upload files.

FAQ#

Q1: Can I specify multiple domains in the CORS configuration?#

Yes, you can specify multiple domains in the CORS configuration. You can add multiple <AllowedOrigin> elements within a <CORSRule> or add multiple <CORSRule> elements to the CORS configuration.

Q2: What if a request comes from an IP address instead of a domain?#

The CORS configuration mainly focuses on domains. However, you can use bucket policies to restrict access based on IP addresses. You can add a IpAddress condition to the bucket policy to allow or deny requests based on the source IP.

Q3: Does the allowed list of domains apply to all types of S3 operations?#

No, the allowed list of domains is mainly relevant for operations that involve cross - origin requests, such as uploads. You can configure the CORS rules to allow specific HTTP methods (e.g., GET, POST, PUT), so you can control which operations are restricted based on the domain.

References#

2025-10