I'm curious about using presigned URLs for file uploads in my app. A post I found from three years ago mentioned that AWS S3 only enforced the content type header, which isn't very secure against attackers. Has anything changed in the last three years regarding the ability to safeguard against malware or restrict uploads to only images? I'm trying to simplify the file verification process, but I'm wondering if I should just handle uploads directly on my server instead.
2 Answers
You can use AWS GuardDuty to scan files for malware. Plus, you can set up the S3 bucket with a deny policy that blocks any file without a clean tag from GuardDuty. It's a practical way to enhance security!
The best approach is to incorporate event notifications with Lambda to verify file contents after upload. For instance, you can set it up to make sure the content matches the allowed Content-Type. Check out this article for more info: devsecopssourav.hashnode.dev/content-type-validation-during-file-uploads-to-an-aws-s3-bucket.
Exactly, and after verification, you can tag the file as clean. Then, just set a resource policy to deny any access to files without that tag. It's straightforward and doesn't require heavy code changes.