AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

How to block s3 buckets from receiving other files than images?

0

Hello, let me start by describing what I want to achieve.

I have a flutter mobile app and I want it to be able to upload images to a S3 bucket. My plan is to generate presigned URL for PutObject operation and then use it in the app. The problem here is that I want to be secured, e.g. I do not want a user to be able to upload 1GB mp3 file. I think it can be achieved by using a policy, but are the policies really secure? I mean let's analyze the following policy:

{
  "Version": "2012-10-17",
  "Id": "Policy1464968545158",
  "Statement": [
    {
      "Sid": "Stmt1464968483619",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111111111111:user/exampleuser"
      },
      "Action": "s3:PutObject",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.jpg",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.png",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.gif"
      ]
    },
  ]
}

it looks okay, but what if an image is not example.jpg but just example without any file extension? Is there a way to allow only certain file types without relying on file extensions?

トピック
ストレージ
タグ
Amazon Simple Storage Service (S3)
言語
English
Moti
質問済み 6ヶ月前165ビュー
1回答
0

I would think you would want to do file type validation and possibly limit max size in your flutter application.

Are you using Amplify or the straight API? Here is a link to the Amplify Flutter docs for Upload files. It might help.

https://docs.amplify.aws/lib/storage/upload/q/platform/flutter/

I would always opt for a bucket policy that is secure and any public bucket should probably be behind a CloudFront distribution.

I just tried this policy and it still allowed me to upload non-jpg file types:

{
    "Version": "2012-10-17",
    "Id": "Policy1464968545158",
    "Statement": [
        {
            "Sid": "Stmt1464968483619",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111111111111:assumed-role/MyRole/MyUser"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*.jpg",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "true"
                }
            }
        }
    ]
}
Tom B
回答済み 6ヶ月前
  • Moti
    6ヶ月前

    My flutter team decided to use Firebase and they would like to stick with it and not use AWS technologies at all. That is why I am using the API by generating presigned URL from the backend. Doing validation in the mobile app sounds reasonable, but is it keeping me from abusive users? My intuition tells me no, but maybe I am wrong?

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ