Amazon S3: Do not allow client to modify already uploaded images?

Question

We are using S3 for our image upload process. We approve all the images that are uploaded on our website. The process is like:

1. Clients upload images on S3 from javascript at a given path. (using token)
2. Once, we get back the url from S3, we save the S3 path in our database with 'isApproved flag false' in photos table.
3. Once the image is approved through our executive, the images start displaying on our website.

The problem is that the user may change the image (to some obscene image) after the approval process through the token generated. Can we somehow stop users from modifying the images like this?

One temporary fix is to shorten the token lifetime interval i.e. 5 minutes and approve the images after that interval only.

I saw this but didn't help as versioning is also replacing the already uploaded image and moving previously uploaded image to new versioned path.

Any better solutions?

Answer 1

You should create a workflow around the uploaded images. The process would be:

• The client uploads the image
• This triggers an Amazon S3 event notification to you/your system
• If you approve the image, move it to the public bucket that is serving your content
• If you do not approve the image, delete it

This could be an automated process using an AWS Lambda function to update your database and flag photos for approval, or it could be done manually after receiving an email notification via Amazon SNS. The choice is up to you.

The benefit of this method is that nothing can be substituted once approved.