I might be asking a dumb question, but I am trying to understand the necessary security precautions I need to take to allow users to upload images (png, jpg, gif) to S3, and serve it via a absolute url hosted on ec2 for facebook canvas. I have the bucket name and file name stored in RDS and plan on showing images via a call to absolute address in the canvas.
I realize that for picture uploads, at minimum, there needs to be a check for: 1) file type (jpg, png, gif), 2) file size (< 5 mb), 3) mime type?
My question is that since the files are stored on s3 and only file name and bucket name is physically on the server, are additional security precautions necessary? I read elsewhere that I should run it through gd or imagemagick and resize, etc. and I am concerned that might be overkill and tax server resources.. I realize that file upload security is very very difficult, and any help would be greatly appreciated.
Thank you in advance.
I would advise not running it through GD and Imagemagick as you say, because of system usage and just unnecessary processes. S3 is really fast. Especially from another box on the Amazon system. I ended up resizing graphics because we didn't need them that large, and we didn't want to pay for storing large images, but that's not a security issue, just a $$/payment issue.
The security isn't hard. Your EC2 instance, if referred to by your Facebook App, doesn't need any security beyond read. Your server code/app would do the write permissions. When you upload the image using the S3 object (if this is in PHP) you simply set the permissions of the file when you upload.
I have a bunch of Facebook apps that post images to S3 with no problem. It's a great architecture and works well.