Secure S3 presigned uploads with malware scanning
Presigned uploads are useful for large files, but they remove your application from the byte path. That means you need a storage workflow, not just an HTTP middleware check.
For the storage-side Node.js version of this decision model, see Scan Files Before S3 Upload in Node.js.
Recommended pattern
Section titled “Recommended pattern”- Generate a presigned URL for a quarantine bucket or prefix.
- Let the client upload directly to S3.
- Trigger a scan from an application worker, queue consumer, or review service.
- Promote only
cleanobjects into the live bucket or prefix. - Keep
suspiciousobjects in quarantine and rejectmaliciousones outright.
Why not upload straight to the live bucket
Section titled “Why not upload straight to the live bucket”- You lose the chance to inspect bytes before the object becomes available.
- Other systems may start processing the object immediately.
- Rollback and cleanup become harder when downstream consumers race ahead.
Minimal decision model
Section titled “Minimal decision model”| Verdict | Storage action |
|---|---|
clean | Copy or promote to the live bucket |
suspicious | Keep in quarantine and open a review path |
malicious | Delete or retain in a restricted evidence bucket |
Good fits for Pompelmi in this architecture
Section titled “Good fits for Pompelmi in this architecture”- Scan in a Node.js worker after the upload lands.
- Use the same policy packs and scanner composition you use for synchronous routes.
- Keep the privacy-first model because the object never needs to leave your own infrastructure for the initial gate.