Hey Steven,

There's actually no real way to lock down physical files as these files are actually being served on the web Another way is for you to implement another layer of security which is on the .htaccess level by introducing password protection. However, your family members would need to bypass this first before logging into the site.

That's what I suspected. I can even access private photos on Facebook with the direct URL.

I was messing around with Amazon S3 and found an interesting way to restrict access to requests originating from the domain. However, the file transfer for new photos with the ES cron stops working. I assume that because the cron uses the API, it is not a direct access to S3 from the domain or IP address, hence the bucket reacts with Access Denied to the ES cron. Any ideas of an exception I could put in the Bucket Policy to avoid S3 refusing the ES cron?

Here is the Bucket Policy:

{

	"Version": "2012-10-17",

	"Id": "http referer policy example",

	"Statement": [

		{

			"Sid": "Allow get requests referred by http://www.mysite.com and mysite.com",

			"Effect": "Allow",

			"Principal": "*",

			"Action": "s3:GetObject",

			"Resource": "arn:aws:s3:::bucket-name/*",

			"Condition": {

				"StringLike": {

					"aws:Referer": [

						"https://www.mysite.com/*",

						"https://mysite.com/*"

					]

				}

			}

		},

		{

			"Sid": "Explicit deny to ensure requests are allowed only from specific referer.",

			"Effect": "Deny",

			"Principal": "*",

			"Action": "s3:*",

			"Resource": "arn:aws:s3:::bucket-name/*",

			"Condition": {

				"StringNotLike": {

					"aws:Referer": [

						"https://www.mysite.com/*",

						"https://mysite.com/*"

					]

				}

			}

		}

	]

}

This policy works great for photos already in s3, but blocks the cron from adding new photos. Would appreciate any idea on how to whitelist the ES cron. Thanks!

Hey Steven,

Hm, to be honest I am not too sure about this Never tried this before.