S3 bucket policies should only allow requests that use HTTPS

Description

To protect data in transit, an S3 bucket policy should deny all HTTP requests to its objects and allow only HTTPS requests. HTTPS uses Transport Layer Security (TLS) to encrypt data, which preserves integrity and prevents tampering.

Remediation Steps

AWS Console

  • Navigate to S3.

  • Select the S3 bucket.

  • Click the Permissions tab.

  • Select Bucket Policy.

  • In the bucket policy editor, enter the bucket policy that is compliant with the SSL AWS Config rule as documented here.

AWS CLI

  • Set bucket policy to only allow HTTPS requests on an S3 Bucket:

    • aws s3api put-bucket-policy --bucket <bucket value> --policy '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["<account id>"]},"Action":"s3:Get*","Resource":"<bucket arn>/*"},{"Effect":"Deny","Principal":"*","Action":"*","Resource":"<bucket arn>/*","Condition":{"Bool":{"aws:SecureTransport":"false"}}}]}'

Terraform

  • If a bucket policy is defined in an aws_s3_bucket policy field, ensure the JSON document contains ALL of the following properties:

    • One or more valid actions:

      • "*"

      • "s3:*"

      • "s3:GetObject"

    • Valid effect:

      • Deny

    • Valid condition:

      • aws:SecureTransport": "false"

  • If a bucket policy as defined as an aws_s3_bucket_policy, ensure the JSON document in the policy field contains ALL of the properties listed above

Example Configuration

resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket"
  # other required fields here
}

resource "aws_s3_bucket_policy" "b" {
  bucket = aws_s3_bucket.b.id

  policy = jsonencode({
    Version = "2012-10-17"
    Id      = "MYBUCKETPOLICY"
    Statement = [
      {
        Sid       = "IPAllow"
        Effect    = "Deny"
        Principal = "*"
        Action    = "s3:*"
        Resource = [
          aws_s3_bucket.b.arn,
          "${aws_s3_bucket.b.arn}/*",
        ]
        Condition = {
          Bool = {
            "aws:SecureTransport" = "false"
          }
        }
      },
    ]
  })

  # other required fields here
}