benfortuna
commented
5 years ago To support client side encryption in a shared bucket will require a two-stage upload.
Stage 1: upload to staging bucket using pre-signed url. Trigger lambda for stage 2
Stage 2: encrypt uploaded file with client key and store in destination bucket. Delete unencrypted file
Support uploading files to S3. Use cognito to determine identity and generate pre-signed url to upload file into user space of uploads bucket.