发表新帖
发表新帖

Restricting file types on amazon s3 bucket with a policy

后端 未结
关注
2 1132
眼角桃花
眼角桃花 2021-02-19 15:42

I\'m trying to set up so the only file types the bucket can hold would be png, jpeg, and gif images. I\'m trying to put in a bucket policy like this 

{
    \"con
相关标签:
2条回答
  • 刺人心
    2021-02-19 16:10

    I talked with AWS support engineer, the conditions.starts-with restriction is only supported by HTTP POST policy (eg: policy for browser form-field upload request). With this policy, it should be impossible to limit mineType when you or your users upload files with HTTP PUT request.

    Reference: https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-HTTPPOSTConstructPolicy.html#sigv4-PolicyConditions.

    For common policy, you can see available Condition keys here, https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html

    And I find there is another solution which can restrict mineType,

    1. specify mineType for your html element, like this: <input type="file" accept="image/bmp,image/jpeg,image/png,image/gif"/>
    2. then you can get bmp, jpeg, png and gif through code, and you can set them as file URL extension of S3 object before upload.
    3. Finally you can add general policy to limit file URL extension like below. Reference: https://aws.amazon.com/premiumsupport/knowledge-center/s3-allow-certain-file-types/
    {
    "Id": "Policy1464968545158",
    "Version": "2012-10-17",
    "Statement": [
      {
          "Sid": "Stmt1464968483619",
          "Effect": "Allow",
          "Principal": {
              "AWS": "IAM-USER-ARN"
          },
          "Action": "s3:PutObject",
          "Resource": [
              "arn:aws:s3:::bucket-name/*.bmp",
              "arn:aws:s3:::bucket-name/*.jpeg",
              "arn:aws:s3:::bucket-name/*.png",
              "arn:aws:s3:::bucket-name/*.gif"
         ]
     }
  ]
}
    1. So that you restrict the mimeType from browser side
    0 讨论(0)
  • 闹比i
    2021-02-19 16:12

    You can use the policy generator for this if you're not sure how to write, for example you would have something like

    {
  "Id": "Policy1464968545158",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1464968483619",
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::<yourbucket>/*.jpg",
      "Principal": "*"
    },
    {
      "Sid": "Stmt1464968543787",
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::<yourbucket>/*.png",
      "Principal": "*"
    }
  ]
}

    As said from doc you can specify multiple resources and aggregate this part, so no need to multiply the statement

        "Resource": [
      "arn:aws:s3:::<yourbucket>/*.jpg",
      "arn:aws:s3:::<yourbucket>/*.png",
      "arn:aws:s3:::<yourbucket>/*.gif",
    ],

    so you get something like

    {
    "Id": "Policy1464968545158",
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "Stmt1464968483619",
        "Action": [
          "s3:PutObject"
        ],
        "Effect": "Allow",
        "Resource": [
          "arn:aws:s3:::<yourbucket>/*.jpg",
          "arn:aws:s3:::<yourbucket>/*.png",
          "arn:aws:s3:::<yourbucket>/*.gif",
        ],
        "Principal": "*"
      }
    ]
}

    you can access policy generator when you create your bucket policy

    0 讨论(0)
 看不清?
提交回复
热议问题