I'm doing browser-based uploads to my S3 bucket and of course, when doing it that way, there's nothing to stop an end-user from uploading any file of any arbitrary size.
Is there a way to modify the bucket policy to prevent abuse of this kind?
This is my current bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::mybucket/*"
},
{
"Sid": "Statement2",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucketVersions",
"Resource": "arn:aws:s3:::mybucket"
}
]
}
CodePudding user response:
Is there a way to modify the bucket policy to prevent abuse of this kind?
No. Instead you have to fully modify your application and allow only authorized users to upload content. Your policy with "Principal": "*",
and s3:PutObject
is a bad practice resulting in your question.
So you have to implement some sort of a login system (can use Amazon Congito), and only then logged in and authorized users can upload the files. But not directly to the bucket. Instead you should use S3 presigned urls.
Similarly, the direct download of files from S3 should be prohibited. Instead CloudFront with S3 should be used.