Setting up your S3 bucket policy can be done by following these instructions:


https://docs.aws.amazon.com/AmazonS3/latest/user-guide/add-bucket-policy.html


For additional security, the following is a sample bucket policy statement that will ONLY allow traffic from a valid order link, and will deny traffic from expired order links:


{
  "Version":"2012-10-17",
  "Id":"http referer policy example",
  "Statement":[
    {
      "Sid":"Allow get requests originating from www.example.com and example.com.",
      "Effect":"Allow",
      "Principal":"*",
      "Action":"s3:GetObject",
      "Resource":"arn:aws:s3:::examplebucket/*",
      "Condition":{
        "StringLike":{"aws:Referer":["http://www.fetchapp.com/get/*"]}
      }
    },
    {
      "Sid":"Allow get requests originating from www.example.com and example.com.",
      "Effect":"Deny",
      "Principal":"*",
      "Action":"s3:GetObject",
      "Resource":"arn:aws:s3:::examplebucket/*",
      "Condition":{
        "StringLike":{"aws:Referer":["http://www.fetchapp.com/get/*/expired"]}
      }

    }
  ]
}


Note: In the above policy, you'll want to replace www.fetchapp.com with the domain of your FetchApp account.