S3 bucket policies should only allow requests that use HTTPS

Description

To protect data in transit, an S3 bucket policy should deny all HTTP requests to its objects and allow only HTTPS requests. HTTPS uses Transport Layer Security (TLS) to encrypt data, which preserves integrity and prevents tampering.

Console Remediation Steps

  • Navigate to S3.

  • Select the S3 bucket.

  • Click the Permissions tab.

  • Select Bucket Policy.

  • In the bucket policy editor, enter the bucket policy that is compliant with the SSL AWS Config rule as documented here.

CLI Remediation Steps

  • Set bucket policy to only allow HTTPS requests on an S3 Bucket:

    • aws s3api put-bucket-policy --bucket <bucket value> --policy '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["<account id>"]},"Action":"s3:Get*","Resource":"<bucket arn>/*"},{"Effect":"Deny","Principal":"*","Action":"*","Resource":"<bucket arn>/*","Condition":{"Bool":{"aws:SecureTransport":"false"}}}]}'