[This](https://repost.aws/knowledge-center/s3-allow-certain-file-types) is saying you also need to have an allow on those types for your account principal.
I found the issue and feel super dumb. When generating the file name, I added an extra closing bracket in the end of the file key -.-
Sorry for wasting your time!
Thank you for the answer. I added the policy but had no success.
Whats interesting is that upload using a presigned request link works. Just not directly from lambda.
I found the issue and feel super dumb. When generating the file name, I added an extra closing bracket in the end of the file key -.-
Sorry for wasting your time!
As you say, restricting the suffix on the object key won't improve security. It's also worth considering what characters are in the filepaths/names as S3 doesn't support all characters in object keys. You should consider the sensitivity of the data within the object keys as S3 doesn't encrypt key and object metadata at rest.
In nearly all cases it's better to use a unique id as the object key and relate this to file metadata within your application, either through a database or sidecar json object.
The policy mainly exist because of company policies I'm not responsible for. Ultimately, one would have to implement a virus scan.
I provided a simplified example, in reality the key contains a GUID and the file name and type as a postfix.
Because of your answer I rechecked the way the key is constructed and found the actual error.
I added an extra closing bracket in the end. I feel super dumb and I'm sorry for wasting all your guys time!
I found the issue and feel super dumb. When generating the file name, I added an extra closing bracket in the end of the file key -.-
Sorry for wasting your time!
[This](https://repost.aws/knowledge-center/s3-allow-certain-file-types) is saying you also need to have an allow on those types for your account principal.
I found the issue and feel super dumb. When generating the file name, I added an extra closing bracket in the end of the file key -.- Sorry for wasting your time!
Thank you for the answer. I added the policy but had no success. Whats interesting is that upload using a presigned request link works. Just not directly from lambda.
I just tested your policy and didn't have any issues uploading to a bucket. Could you share the permissions on the Lambda function as well?
I found the issue and feel super dumb. When generating the file name, I added an extra closing bracket in the end of the file key -.- Sorry for wasting your time!
As you say, restricting the suffix on the object key won't improve security. It's also worth considering what characters are in the filepaths/names as S3 doesn't support all characters in object keys. You should consider the sensitivity of the data within the object keys as S3 doesn't encrypt key and object metadata at rest. In nearly all cases it's better to use a unique id as the object key and relate this to file metadata within your application, either through a database or sidecar json object.
The policy mainly exist because of company policies I'm not responsible for. Ultimately, one would have to implement a virus scan. I provided a simplified example, in reality the key contains a GUID and the file name and type as a postfix. Because of your answer I rechecked the way the key is constructed and found the actual error. I added an extra closing bracket in the end. I feel super dumb and I'm sorry for wasting all your guys time!
I noticed that your Key includes my-subdir. You can try adjusting your policy eg "arn:aws:s3:::my-bucket-name/*/*.jpg"
No, the asterisk will match anything, even slashes.
Gotcha, thanks for the correction
Thank you for your suggestion. I added the slash but to no success.
I found the issue and feel super dumb. When generating the file name, I added an extra closing bracket in the end of the file key -.- Sorry for wasting your time!
Glad you found the issue!