4

I have managed to trigger events on my bucket when objects are uploaded (PUT) but I am surprised that there are no triggers called when objects are downloaded (GETs), as can be seen in this screenshot of the interface:

enter image description here

I want to be notified of each download so I will be able to limit the downloads of any given object to a maximum of 10 times.

How to do that?

I am aiming at setting a tag named for example limit_reached, value: true on the file object if the download limit is reached and returning 403 by conditional access policy based on the limit_reached tag.

Alternative to all this, is to generate signed url's by my web application and track how many signed urls have been generated for a given object and denying any further after generating signed urls 10 times.

Your ideas are highly appreciated.

W.M.
  • 187
  • 5

1 Answers1

2

As you point out, AWS S3 currently does not have an event type for GET calls.

To do something similar to what you are trying to do, I had to do the following:

  1. Create an application/lamdba that's only purpose was to retrieve items from the S3 Bucket. This application was given exclusive privileges to the S3 bucket.
  2. The application keeps a counter of the number of times that S3 resource has been accessed.
  3. The application returns the 403 or whatever you want if you exceed the download limit.

Basically create a "middleware" that's sole purpose is to go from your website/application to S3 and track the number of requests.

While the above solution meets your requirements, it is vulnerable to common attacks such as DDoS or people spoofing their IP. If you take this approach consider additional security measures (e.g. only authenticated users can invoke the application's GET call to S3).

Wesley Rolnick
  • 2,772
  • 12
  • 26