When uploading a file to AWS-S3, how can a lambda function deny a PutObject operation if the object key already exists in the bucket?
Question
I've just realized that if I allow the browser to upload a file to my S3 bucket (using a session token from my server), an attacker can use known object keys to use those temporary permissions to overwrite those files (and either replace with malicious or empty content).
Some say the solution would be to use object versioning, but I'm wondering if a lambda function can intercept that PutObject request, check if the key already exists in the bucket, and if so, deny the operation.
1 answers
solution1
0 2019-05-01 09:17:36
The short answer is no.
This is because S3 is eventually consistent. Even if you did something clever like attempting a getObject to see if the file exists, you may well get a false negative under the heavy quick-fire load you're expecting from an attacker.
If you want to ensure that an signed url can be used once and only once, then you'll have to replace the signed url functionality with your own. An example would be to use API Gateway + Lambda + DynamoDB. In this case you would create an 'upload token' which you would save to DynamoDB and return to the user. When the user then uploads a file using the token, it is removed from DynamoDB (which can be made immediately consistent).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.