Ensure S3 Bucket Policy is set to deny HTTP requests
To protect data in transit, an S3 bucket policy should deny all HTTP requests to its objects and allow only HTTPS requests. HTTPS uses Transport Layer Security (TLS) to encrypt data, which preserves integrity and prevents tampering.
Risk Level: High
Cloud Entity: Simple Storage Service (S3)
CloudGuard Rule ID: D9.AWS.CRY.04
Covered by Spectral: Yes
Category: Storage
GSL LOGIC
S3Bucket should have policy.Statement contain [Effect='Deny' and Condition.Bool.aws:SecureTransport='false' and ((Action contain ['s3:GetObject'] and Action contain ['s3:PutObject']) or Action contain ['s3:*'] or Action contain ['*'] ) ]
REMEDIATION
From Portal
- Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
- In the Buckets list, choose the name of the bucket that you want to create a bucket policy for or whose bucket policy you want to edit.
- Choose Permissions.
- Under Bucket policy, choose Edit. This opens the Edit bucket policy page.
- On the Edit bucket policy page, explore Policy examples in the Amazon S3 User Guide, choose Policy generator to generate a policy automatically, or edit the JSON in the Policy section. Here add a policy statement that will Deny request with SecureTransport=false
- In the Policy box, edit the existing policy or paste the bucket policy from the Policy generator. Make sure to resolve security warnings, errors, general warnings, and suggestions before you save your policy.
- Choose Save changes, which returns you to the Bucket Permissions page.
From TF
If a bucket policy is defined in an aws_s3_bucket policy field, ensure the JSON document contains ALL of the following properties.
One or more valid actions: , s3:, s3:GetObject
Valid effect: Deny
Valid condition: aws:SecureTransport: false
If a bucket policy as defined as an aws_s3_bucket_policy, ensure the JSON document in the policy field contains ALL of the properties listed above.
resource "aws_s3_bucket" "example" {
bucket = "my-tf-test-bucket"
# other required fields here
}
resource "aws_s3_bucket_policy" "example2" {
bucket = aws_s3_bucket.b.id
policy = json_encode({
Version = "2012-10-17"
Id = "MYBUCKET_POLICY"
Statement = [
{
Sid = "IPAllow"
Effect = "Deny"
Principal = "*"
Action = "s3:*"
Resource = [
aws_s3_bucket.b.arn,
"${aws_s3_bucket.b.arn}/*",
]
Condition = {
Bool = {
"aws:SecureTransport" = "false"
}
}
},
]
})
From Command Line
To add a policy to deny non-secure transport, run:
aws s3api put-bucket-policy --bucket BUCKET-NAME --policy file://policy.json
References
- https://docs.aws.amazon.com/AmazonS3/latest/user-guide/add-bucket-policy.html
- https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/
- https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy
- https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-policy.html
Simple Storage Service (S3)
Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu
Compliance Frameworks
- AWS CCPA Framework
- AWS CIS Foundations v. 1.3.0
- AWS CIS Foundations v. 1.4.0
- AWS CIS Foundations v. 1.5.0
- AWS CIS Foundations v. 2.0.0
- AWS CSA CCM v.3.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard S3 Bucket Security
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS GDPR Readiness
- AWS HIPAA
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO 27001:2013
- AWS ISO27001:2022
- AWS ITSG-33
- AWS LGPD regulation
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-171
- AWS NIST 800-53 Rev 4
- AWS NIST 800-53 Rev 5
- AWS NIST CSF v1.1
- AWS PCI-DSS 3.2
- AWS PCI-DSS 4.0
- AWS Security Risk Management
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago