AWS S3 - Referrer Whitelisting

I have the below security configuration on my AWS S3 bucket that allows file access only from my.web.com (my self-hosted app).

{
    "Version": "2012-10-17",
    "Id": "http referer policy example",
    "Statement": [
        {
            "Sid": "Allow get requests originating from my.web.com",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::tweeterati/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": "https://my.web.com/*"
                }
            }
        }
    ]
}

I want to add n8n.web.com to be able to download files using the AWS S3 node. For that, I need to edit the security to "aws:Referer": ["https://my.web.com/*",“https://n8n.web.com/*”`]

Any idea what Referrer value should be whitelisted in AWS when n8n is hosted at n8n.web.com?

I verified this by removing the aws:Referer restriction and the AWS S3 node is able to download the file.

Hi @Santosh_Srinivas, n8n wouldn’t send a referer header by default. That’s a header typically sent by browser when following a link, you can read more about it here: Referer - HTTP | MDN

Thank you. Any idea what to include in my AWS policy so it accepts requests only from n8n.web.com … my self-hosted domain

I am not super familiar with AWS S3, but I’d think the easiest way would be to restrict access to certain IPs. This article discusses the idea: Limit Amazon S3 bucket access to certain IPs or VPCs

This would also secure your bucket against a fake referer header.

yep! Thank you! I just did exactly that … this worked as an additional config seperate from the above:

{
    "Sid": "Allow get requests originating from XX.XX.XX.XX",
    "Effect": "Allow",
    "Principal": "*",
    "Action":
    [
        "s3:GetObject",
        "s3:PutObject",
        "s3:PutObjectAcl"
    ],
    "Resource": "arn:aws:s3:::tweeterati/*",
    "Condition":
    {
        "IpAddress":
        {
            "aws:SourceIp": "XX.XX.XX.XX/24"
        }
    }
}
1 Like

Sweet, glad to hear this works for you and thanks for sharing your config :slight_smile: