Amazon S3 – AWS Upload Bucket Policy: Restrict File Type

amazon s3amazon-web-servicesupload

I4m uploading with PHP objects to S3. I'd like to only accept PDF files and refuse files with other extensions.

So I wrote this bucket policy :

{
"Version": "2012-10-17",
"Id": "Policy1464968545158",
"Statement": [
    {
        "Sid": "Stmt1464968483619",
        "Effect": "Allow",
        "Principal": "*",
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::MYBUCKET/*.pdf"
    }
]
}

But it's not working, my bucket still accepts files with any extensions.

What did I do wrong ?

Thank you

Best Answer

You policy allows putObject on files matching *.pdf. However, it does not put any restrictions on putObject. If you would gain that permissions by other means, you could still upload other files. E.g. the AWS managed policy arn:aws:iam::aws:policy/AmazonS3FullAccess currently looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}

If you would attach this to your AWS IAM user or IAM role, you would be able to put all objects in a bucket with that policy.

The element NotResource may be of service here, see here. A working policy may look like this:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Deny",
    "Action": "s3:putObject",
    "NotResource": [
      "arn:aws:s3:::MYBUCKET/*.pdf"
    ]
  }
}

This would deny putObjects for anyone, if those do not macht *.pdf.

Related Topic