S3 bucket policies should only allow requests that use HTTPS¶
Description¶
To protect data in transit, an S3 bucket policy should deny all HTTP requests to its objects and allow only HTTPS requests. HTTPS uses Transport Layer Security (TLS) to encrypt data, which preserves integrity and prevents tampering.
Remediation Steps¶
AWS Console¶
AWS CLI¶
Set bucket policy to only allow HTTPS requests on an S3 Bucket:
aws s3api put-bucket-policy --bucket <bucket value> --policy '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["<account id>"]},"Action":"s3:Get*","Resource":"<bucket arn>/*"},{"Effect":"Deny","Principal":"*","Action":"*","Resource":"<bucket arn>/*","Condition":{"Bool":{"aws:SecureTransport":"false"}}}]}'
CloudFormation¶
JSON¶
Ensure that AWS::S3::BucketPolicy contains the following:
{
"Properties": {
"Bucket": {
"ref": "Example-Bucket-Name",
"PolicyDocument": {
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "*",
"Condition": {
"Bool": {
"aws:SecureTransport": false
}
}
}
]
}
}
}
}
JSON Example Configuration¶
{
"Type" : "AWS::S3::Bucket::Policy",
"Properties": {
"Bucket": {
"ref": "Example-Bucket-Name",
"PolicyDocument": {
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "*",
"Condition": {
"Bool": {
"aws:SecureTransport": false
}
}
}
]
}
}
}
# other required fields here
}
YAML¶
Ensure that AWS::S3::BucketPolicy contains the following:
Properties:
Bucket:
ref: !Ref Bucket2
PolicyDocument:
Statement:
- Effect: Deny
Principal: "*"
Action: "*"
Condition:
Bool:
"aws:SecureTransport": false
YAML Example Configuration¶
Type: 'AWS::S3::Bucket'
Properties:
Bucket:
ref: !Ref Bucket2
PolicyDocument:
Statement:
- Effect: Deny
Principal: "*"
Action: "*"
Condition:
Bool:
"aws:SecureTransport": false
# other required fields here
Terraform¶
If a bucket policy is defined in an aws_s3_bucket
policy
field, ensure the JSON document contains ALL of the following properties:One or more valid actions:
"*"
"s3:*"
"s3:GetObject"
Valid effect:
Deny
Valid condition:
aws:SecureTransport": "false"
If a bucket policy as defined as an aws_s3_bucket_policy, ensure the JSON document in the
policy
field contains ALL of the properties listed above
Example Configuration¶
resource "aws_s3_bucket" "b" {
bucket = "my-tf-test-bucket"
# other required fields here
}
resource "aws_s3_bucket_policy" "b" {
bucket = aws_s3_bucket.b.id
policy = jsonencode({
Version = "2012-10-17"
Id = "MYBUCKETPOLICY"
Statement = [
{
Sid = "IPAllow"
Effect = "Deny"
Principal = "*"
Action = "s3:*"
Resource = [
aws_s3_bucket.b.arn,
"${aws_s3_bucket.b.arn}/*",
]
Condition = {
Bool = {
"aws:SecureTransport" = "false"
}
}
},
]
})
# other required fields here
}