Setting up your S3 bucket policy can be done by following these instructions:


https://docs.aws.amazon.com/AmazonS3/latest/user-guide/add-bucket-policy.html


For additional security, the following is a sample bucket policy statement that will ONLY allow traffic from a valid order link, and will deny traffic from expired order links:


{
  "Version":"2012-10-17",
  "Id":"http referer policy example",
  "Statement":[
    {
      "Sid":"Allow get requests originating from your FetchApp account from open orders.",
      "Effect":"Allow",
      "Principal":"*",
      "Action":"s3:GetObject",
      "Resource":"arn:aws:s3:::examplebucket/*",
      "Condition":{
        "StringLike":{"aws:Referer":["http://www.yourhandle.fetchapp.com/get/*"]}
      }
    },
    {
      "Sid":"Deny get requests originating from your FetchApp account from expired orders.",
      "Effect":"Deny",
      "Principal":"*",
      "Action":"s3:GetObject",
      "Resource":"arn:aws:s3:::examplebucket/*",
      "Condition":{
        "StringLike":{"aws:Referer":["http://www.yourhandle.fetchapp.com/get/*/expired"]}
      }

    }
  ]
}



Note: In the above policy, you'll want to replace yourhandle with the handle of your FetchApp account.