Can I restrict Amazon S3 Browser-Based Uploads by URL in my bucket policy -
based on: http://s3.amazonaws.com/doc/s3-example-code/post/post_sample.html
is there way limit browser based upload amazon s3 such rejected if not originate secure url (i.e. https://www.someurl.com)?
thanks!
i want absolutely guarantee post coming website
that impossible.
the web stateless , post
coming "from" specific domain not valid concept, because referer:
header trivial spoof, , malicious user knows this. running through ec2 server gain nothing, because tell nothing new , meaningful.
the post policy document not expires, can constrain object key prefix or exact match. how malicious user going defeat this? can't.
in client form have encrypted/hashed versions of credentials.
no, not.
what have signature attests authorization s3 honor form post. can't feasibly reverse-engineered such policy can modified, , that's point. form has match policy, can't edited , still remain valid.
you generate signature using information known , aws; specifically, secret accompanies access key.
when s3 receives request, computes signature should have been. if it's match, privileges of specific user owning key checked see whether request authorized.
by constraining object key in policy, prevent user uploading (or overwriting) object other specific 1 authorized policy. or specific object ket prefix, in case, restrict user harm not under prefix.
if handing on policy allows object key overwritten in entire bucket, you're solving wrong problem trying to constrain posts coming "from" website.
Comments
Post a Comment