Amazon_S3_21

Ensure Secure Transport is enabled for all buckets

Description

If S3 buckets are not configured to strictly require SSL connections, the communication between the clients and these buckets is vulnerable to eavesdropping and man-in-the-middle (MITM) attacks. So avoid from this use SSL-only access by denying all regular, unencrypted HTTP requests to your buckets when dealing with sensitive or private data.

Remediation

  1. Sign in to the AWS Management Console.
  2. click to S3 dashboard at https://console.aws.amazon.com/s3/.
  3. Select the S3 bucket that you want to encrypt and click the Properties tab from the dashboard top right menu:
  4. Inside the Properties tab, click Permissions to expand the bucket permissions settings panel.
  5. Click the Edit bucket policy button to edit the bucket policy in use. If the selected bucket does not have an access policy defined yet, click Add bucket policy.
  6. In the Bucket Policy Editor dialog box, perform one of the following actions based on your current configuration:
    1. If there is no access policy currently in use, paste the following policy document in the Bucket Policy Editor box, replace the bucket name, i.e. abc-bucket-name, with the name of your own S3 bucket then click Save. This policy will restrict non-SSL S3 access to all your objects available in the selected S3 bucket:
    2. {  "Version": "2012-10-17",  "Id": "S3SecureTransportPolicy",  "Statement": [    {      "Sid": "ForceSSLOnlyAccess",      "Effect": "Deny",      "Principal": { "AWS": "*" },      "Action": "s3:*",      "Condition": {        "Bool": { "aws:SecureTransport": false }      },      "Resource":"arn:aws:s3:::abc-bucket-name/*"    }  ]}
    3. If the selected bucket has already an access policy implemented, append the following policy statements to the existing ones available within the Bucket Policy Editor box, as shown in the following example. Replace the bucket name, i.e. abc-bucket-name, with the name of your own bucket then click the Save button to apply the permissions changes. This policy will restrict non-SSL access to all your S3 objects stored within the selected S3 bucket.
    4.  {      "Sid": "ForceSSLOnlyAccess",      "Effect": "Deny",      "Principal": { "AWS": "*" },      "Action": "s3:*",      "Condition": {        "Bool": { "aws:SecureTransport": false }      },      "Resource":"arn:aws:s3:::abc-bucket-name/*"    }

Service

S3

Severity

Medium

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!