AWS S3 Bucket Policy Enforces Secure Access

Risk

Remediation Effort

Low

This policy validates that all S3 Buckets enforce secure (HTTPS) access. This enforces encryption in transit of all information read from the bucket.

Remediation

To remediate this, add the following condition to the S3 Bucket Access Policy:

{
    "Version": "2012-10-17",
    "Id": "Policy1504640911349",
    "Statement": [
        {
            "Sid": "Stmt1504640908907",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::/*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

Version: 2012-10-17
Id: Policy1504640911349
Statement:
  -
    Sid: Stmt1504640908907
    Effect: Deny
    Principal: '*'
    Action: s3:GetObject
    Resource: arn:aws:s3:::/*
    Condition:
      Bool:
        aws:SecureTransport: 'false'

Reference

AWS S3 Bucket defense in depth guide

PreviousAWS S3 Bucket Policy Does Not Use Allow With Not Principal NextAWS S3 Bucket Policy Restricts Allowed Actions

Last updated 3 years ago