S3 Direct Upload Restricting File Size and Type

s3 direct upload restricting file size and type

If you are talking about security problem (people uploading huge file to your bucket), yes, You CAN restrict file size with browser-based upload to S3.

Here is an example of the "policy" variable, where "content-length-range" is the key point.

"expiration": "'.date('Y-m-d\TG:i:s\Z', time()+10).'",
"conditions": [
    {"bucket": "xxx"},
    {"acl": "public-read"},
    ["starts-with","xxx",""],
    {"success_action_redirect": "xxx"},
    ["starts-with", "$Content-Type", "image/jpeg"],
    ["content-length-range", 0, 10485760]
]

In this case, if the uploading file size > 10mb, the upload request will be rejected by Amazon.

Of course, before starting the upload process, you should use javascript to check the file size and make some alerts if it does.

getting file size in javascript

Any way to limit S3 file upload size using bucket policy?

Is there a way to modify the bucket policy to prevent abuse of this kind?

No. Instead you have to fully modify your application and allow only authorized users to upload content. Your policy with "Principal": "*", and s3:PutObject is a bad practice resulting in your question.

So you have to implement some sort of a login system (can use Amazon Congito), and only then logged in and authorized users can upload the files. But not directly to the bucket. Instead you should use S3 presigned urls.

Similarly, the direct download of files from S3 should be prohibited. Instead CloudFront with S3 should be used.

S3 direct upload restrict file type

The content_type, as used in your example, is an argument whose value is used to tell S3 what the content-type of the uploaded object actually is -- that is, what you have determined it to be -- not to restrict what's allowed.

Depending on the application, and how important this restriction is, you will either need to validate the upload's genuine content type either on the client, or on the server, after upload.

There is no simple solution. S3 trusts that you, generating the signed post upload, knew the content-type of the object being uploaded and set it accordingly, so it accepts the value you sent.

Restricting file types on amazon s3 bucket with a policy

You can use the policy generator for this if you're not sure how to write, for example you would have something like

{
  "Id": "Policy1464968545158",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1464968483619",
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::<yourbucket>/*.jpg",
      "Principal": "*"
    },
    {
      "Sid": "Stmt1464968543787",
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::<yourbucket>/*.png",
      "Principal": "*"
    }
  ]
}

As said from doc you can specify multiple resources and aggregate this part, so no need to multiply the statement

    "Resource": [
      "arn:aws:s3:::<yourbucket>/*.jpg",
      "arn:aws:s3:::<yourbucket>/*.png",
      "arn:aws:s3:::<yourbucket>/*.gif",
    ],

so you get something like

{
    "Id": "Policy1464968545158",
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "Stmt1464968483619",
        "Action": [
          "s3:PutObject"
        ],
        "Effect": "Allow",
        "Resource": [
          "arn:aws:s3:::<yourbucket>/*.jpg",
          "arn:aws:s3:::<yourbucket>/*.png",
          "arn:aws:s3:::<yourbucket>/*.gif",
        ],
        "Principal": "*"
      }
    ]
}

you can access policy generator when you create your bucket policy

Sample Image

AWS S3 : limit file size and billing

All data transfer into S3 is free.

See the S3 pricing page for more details.

How to restrict S3 file upload to a bucket by certain file type?

You can use combination of Deny with NotResource:

{
    "Version": "2012-10-17",
    "Id": "Policy1464968545158",
    "Statement": [
        {
            "Sid": "Stmt1464968483619",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "NotResource": [
                "arn:aws:s3:::<bucket>/*.jpg",
                "arn:aws:s3:::<bucket>/*.png"
            ]
        }
    ]
}

Your policy only checks for extension of files, not whether the actual file upload is jpeg or png, and does not account for their variations, such as JPG, PNG, JPEG, and more. Extensions can be inaccurate.

As a side note, its is a bad practice, to allow anonymous uploads to your bucket. If you have other possibilities than this, it would be worth considering them first.


Related Topics

PHP Get Request, Sending Headers

Foursquare API for Venue User Image Error

Loadhtml Libxml_Html_Noimplied on an HTML Fragment Generates Incorrect Tags

Using Mx Records to Validate Email Addresses

Install Ffmpeg on Xampp

How to Create an Empty Array in PHP with Predefined Size

Backslash in PHP -- What Does It Mean

PHP PHP_Network_Getaddresses: Getaddrinfo Failed: No Such Host Is Known

Error: MySQLnd Cannot Connect to MySQL 4.1+ Using the Old Insecure Authentication

How Are Associative Arrays Implemented in PHP

PHP Imap Decoding Messages

PHP Crop Image to Fix Width and Height Without Losing Dimension Ratio

.Htaccess - Redirect Subdomain to Folder

How to Define Global Functions in PHP

PHP Range() from a to Zz

How to Convert Iso8601 to Date Format in PHP

Get Filename of File Which Ran PHP Include

Sending Push Notifications to Multiple Android Devices Using Gcm


Leave a reply



Submit