rosa
August 5, 2024, 6:45am
1
Hi everyone! I have created S3 bucket named “http://sub.domain.com|sub.domain.com ” to use as <https://docs.aws.amazon.com/AmazonS3/latest/userguide/VirtualHosting.html#virtual-hosted-style-access|Virtual-hosted–style requests>. I have mapped my “http://sub.domain.com|sub.domain.com ” to “http://sub.domain.com.s3.region-code.amazonaws.com|sub.domain.com.s3.region-code.amazonaws.com ” in DNS records.
Issue is When I used bucket image object in my web app in html img src tag like “https://sub.domain.com/image.jpg ”, I got (failed)net::ERR_CERT_COMMON_NAME_INVALID error status.
My SSL certificate is wildcard certificate *.http://domain.com|domain.com
Bucket is public, Image is accessed by http, but not https.
To be able to use HTTPS you need to deploy and serve content through CloudFront. You can’t use your own certificate with S3 bucket.
rosa
August 5, 2024, 7:19am
3
If I use CloudFront, How can I restrict access to only my web app?
WAF Web ACL or Lambda@Edge. It depends what you mean by “restrict access”.
rosa
August 5, 2024, 8:06am
5
Mean to say that, my bucket images can only be access in my web app Html img tag. Not via browser url.
You can use CORS with CloudFront and S3.
rosa
August 5, 2024, 9:05am
7
I tried CORS with S3 but it didn’t work. Do we have CORS option in Cloudfront ?
rosa
August 5, 2024, 9:21am
8
I restrict access using “Condtions” section in Bucket policy in S3 like
“Condition”: {https://my.domain.com/* ”
It worked and images can only be accessed by web app.
But as you said for Https , I need to use CloudFront. Thats why I am asking to have restrict option to only web app.
If you would like to rely on Referer header then you can use WAF or Lambda@Edge.
rosa
August 5, 2024, 10:15am
10
Yes I also know that its not secure to use Referer header.
Here is an example for User-agent: https://repost.aws/knowledge-center/waf-block-http-requests-no-user-agent
