I4m uploading with PHP objects to S3. I'd like to only accept PDF files and refuse files with other extensions.
So I wrote this bucket policy :
{
"Version": "2012-10-17",
"Id": "Policy1464968545158",
"Statement": [
{
"Sid": "Stmt1464968483619",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::MYBUCKET/*.pdf"
}
]
}
But it's not working, my bucket still accepts files with any extensions.
What did I do wrong ?
Thank you
Best Answer
You policy allows putObject on files matching
*.pdf
. However, it does not put any restrictions on putObject. If you would gain that permissions by other means, you could still upload other files. E.g. the AWS managed policyarn:aws:iam::aws:policy/AmazonS3FullAccess
currently looks like this:If you would attach this to your AWS IAM user or IAM role, you would be able to put all objects in a bucket with that policy.
The element
NotResource
may be of service here, see here. A working policy may look like this:This would deny putObjects for anyone, if those do not macht
*.pdf
.