[mdavidn]

I think you can presign PutObject calls that validate a particular SHA-256 checksum. An API endpoint, e.g. in a Lambda, can effectively enforce this rule. It unfortunately won’t work on multipart uploads except on individual parts.

[UltraSane]

The hash of multipart uploads is simply the hash of all the part hashes. I've been able to replicate it.

[thayne]

But in order to do that you need to already know the contents of the file.

I suppose you could have some API to request a signed url for a certain hash, but that starts getting complicated, especially if you need support for multi-part uploads, which you probably do.

[JoshTriplett]

Unfortunately, last I checked, the list of headers you're allowed to enforce for pre-signing does not include the hash.