amazon s3 virtual hosting and access control


When you first come into Amazon S3AWS Management Console provide a convent way to manage your s3 resource, including create bucket, upload object, view or download object.

But you must need another way to access your s3 objects, S3 provide a REST API let you access them, using HTTP protocol


The first two way are build in with amazon s3, you need no configuration on them.

The 3rd way, which let you access your s3 object under your domain name, it’s powerfull, but need a little config: First, create a bucket named as your domain name, such as “”, then configure your DNS name  ”” as a CNAME alias for “”. then you can access your bucket which named “” through! Note: the bucket name must be the same as the CNAME

You just know how to access your s3 resources, but before you can do that, you still need config who can access it. You may don’t want everyone can do that, bcs this may cause you pay extra dollars :-(

Bucket Policies can do that! For example, you just want your website but no ohters can use your picture hosted at s3, you can use the “aws:Referer” to do that:

	"Version": "2008-10-17",
	"Id": "your-uniqueness-id",
	"Statement": [
			"Sid": "Allow get requests referred by",
			"Effect": "Allow",
			"Principal": "*",
			"Action": "s3:GetObject",
			"Resource": "*",
			"Condition": {
				"StringLike": {
					"aws:Referer": "*"

There are other key to use: “aws:SourceIp”, “aws:UserAgent” etc. Read Element Descriptions for more.

Future Reading:
How do I make requests
How do I manage access to my resources

comments powered by Disqus