How to Protect Paid Content in S3

Step 1

Create a separate bucket for paid content. For instance, for RubyPlus Pro account customers, I created

Step 2

Use the following bucket policy:

    "Version": "2008-10-17",
    "Id": "Policy1414368633278",
    "Statement": [
            "Sid": "Stmt1414368595009",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::YOURBUCKETNAME/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": "*"

Step 3

Replace the YOURBUCKETNAME with the bucket name for the paid content.

Step 4

Replace the YOURDOMAINNAME with your website URL.

Step 5

Save the bucket policy. Now if you access the URL for the video directly like this: you will get an access denied error.

Step 6

You can also optionally enable server side encryption. It will encrypt the content when in transit and also when it is stored in S3. When your web site streams it, it will be decrypted.

Step 7

From now on, only your website URL will be able to access the content from the bucket for the paid content.

Step 8

You can easily filter the paid episodes in the controller in your Rails app and provide access to paid content to customers.


Related Articles

Software Compatibility Best Practices

I spoke to some of the most talented and experienced software developers. I have created a guide that is filled with valuable insights and actionable ideas to boost developer productivity.

You will gain a better understanding of what's working well for other developers and how they address the software compatibility problems.

Get the Guide Now