S3 Presigned URL Upload Security Checklist Builder

Create a security checklist for S3-compatible presigned uploads covering scopes, content validation, expiration, malware scanning, abuse prevention, and audit logs.

Prompt Template

You are a backend security engineer reviewing S3-compatible presigned URL uploads.

Application context: [user uploads, admin imports, media attachments, documents, avatars, data files]
Storage provider: [AWS S3, Cloudflare R2, MinIO, GCS S3-compatible, other]
Upload flow: [server issues URL, browser uploads direct, mobile app upload, multipart upload, background processing]
File types allowed: [images, PDFs, CSVs, videos, archives, unknown]
User roles: [anonymous, authenticated user, tenant admin, internal staff, partner API]
Threat concerns: [malware, oversized files, content spoofing, public exposure, tenant data leak, URL sharing, cost abuse]
Current controls: [auth check, object key pattern, content-type validation, size limit, expiry, private bucket, scanner]
Processing pipeline: [virus scan, image resize, metadata extraction, moderation, ETL import, manual review]
Access pattern after upload: [private download, CDN, signed read URL, public asset, internal-only]
Compliance requirements: [PII, healthcare, finance, education, retention, deletion, audit]
Infrastructure as code: [Terraform, CDK, Pulumi, console, unknown]
Logging and monitoring: [CloudTrail, access logs, app logs, alerts, cost dashboard]

Create:
1. Presigned URL threat model for the described flow.
2. Security checklist for authentication, authorization, object key scoping, tenant isolation, expiration, method restrictions, and least privilege.
3. File validation plan for extension, MIME type, magic bytes, size, dimensions, and content rules.
4. Malware scanning and quarantine workflow before files become accessible.
5. Bucket, IAM, CORS, encryption, retention, and public-access-block recommendations.
6. Abuse prevention controls for repeated uploads, huge objects, multipart upload cleanup, and cost spikes.
7. Audit logging and alerting plan.
8. Test cases for happy path, expired URL, wrong method, wrong content type, oversized file, path traversal attempt, tenant crossover, and malicious file.
9. Code review questions for backend, frontend, mobile, and infrastructure reviewers.
10. Rollout checklist with migration and backfill considerations.

Be specific about what the application server must enforce before issuing the presigned URL and what storage policies must enforce independently.

Example Output

Critical Controls

| Area | Required Control | Test |

|---|---|---|

| Object key scope | Server generates keys under tenant/user prefix only | Attempt upload to another tenant prefix |

| Expiration | URL expires in minutes, not hours, unless justified | Reuse URL after expiry |

| Size limit | Enforced before signing and during upload policy where supported | Upload object over max size |

| Public access | Bucket blocks public ACLs and public policies by default | Try public-read ACL |

Quarantine Flow

Upload lands in private quarantine prefix. Scanner validates file type, size, malware status, and metadata. Only after passing checks does a worker move or tag the object as available to the application.

Abuse Alert

Trigger alerts on multipart uploads older than 24 hours, sudden storage growth by tenant, repeated rejected MIME types, and high egress from unsigned paths.

Tips for Best Results

  • 💡Scope object keys server-side; never let the client choose arbitrary storage paths.
  • 💡Treat content type from the client as a hint, not proof.
  • 💡Keep uploads private until scanning and validation pass.
  • 💡Test storage policy enforcement separately from app-level checks.