I have recently started experimenting with Amazon S3 to host the static content of my blog, like CSS, images, etc. Good news is that Amazon Web Services is giving one year of free usage for new S3 accounts (5 GB of Amazon S3 standard storage, 20,000 Get Requests, and 2,000 Put Requests). You will easily run out of the GET request limit even if your blog has just hundred visitors a day. My blog is consuming around 3 lakh GET requests per month, but these are really cheap, only a cent for 10k requests. My S3 bill is coming around Rs.20, which is negligible.

Though the GET requests are cheap, it will add up if somebody is hotlinking to them and if the hotlinked files are videos, software, or other stuff  of few MBs, then you will surely run out of free data transfer limit too. Amazon provides support for conditional rules to access the buckets via Bucket Policies. We can use this to prevent hotlinking. We can allow or deny access based on request attributes, such as HTTP referrer and IP address.

Get the free version of S3 Browser. Login using your Access Key and Secure Access Key. Change the ACL permission of folder and all its content to private (accessible to owner only). Right click on the bucket you are using for hosting content and choose “Edit Bucket Policies.” It will popup “Bucket Policies Editor.”

Paste this and edit aws:Referer section with the domain name(s) you want to limit the bucket to.

{
"Version": "2008-10-17",
"Id": "httprefererpolicyexample",
"Statement": [
{
"Sid": "Allowgetrequestsreferredbywww.xyz.com,
xyz.com",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::imgbox/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://domain.com/*",
"http://www.domain.com/*"
] }
}
}
] }

Your images only show up on your domain and show 404 error if image is directly called or hotlinked.

Share and Enjoy