1

I4m uploading with PHP objects to S3. I'd like to only accept PDF files and refuse files with other extensions.

So I wrote this bucket policy :

{
"Version": "2012-10-17",
"Id": "Policy1464968545158",
"Statement": [
    {
        "Sid": "Stmt1464968483619",
        "Effect": "Allow",
        "Principal": "*",
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::MYBUCKET/*.pdf"
    }
]
}

But it's not working, my bucket still accepts files with any extensions.

What did I do wrong ?

Thank you

Chuck
  • 13
  • 1
  • 4
  • 1
    `"Principal": "*"` is not safe for uploads. Don't do it. – Michael - sqlbot Jun 26 '18 at 10:22
  • @Michael-sqlbot Thanks for the tip, I'm using aws signature v4 to upload objects (in PHP) and I'm trying to figure out where to specify "Principal" to allow the upload only for 1 group ? – Chuck Jun 26 '18 at 13:04

1 Answers1

0

You policy allows putObject on files matching *.pdf. However, it does not put any restrictions on putObject. If you would gain that permissions by other means, you could still upload other files. E.g. the AWS managed policy arn:aws:iam::aws:policy/AmazonS3FullAccess currently looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}

If you would attach this to your AWS IAM user or IAM role, you would be able to put all objects in a bucket with that policy.

The element NotResource may be of service here, see here. A working policy may look like this:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Deny",
    "Action": "s3:putObject",
    "NotResource": [
      "arn:aws:s3:::MYBUCKET/*.pdf"
    ]
  }
}

This would deny putObjects for anyone, if those do not macht *.pdf.

M. Glatki
  • 1,964
  • 1
  • 17
  • 33