AWS S3 Does Not Enforce Secure Transport
Description:
Amazon Simple Storage Service (S3) provides the ability to ensure that data in transit to and from the S3 bucket is encrypted using Secure Sockets Layer (SSL)/Transport Layer Security (TLS). If secure transport is not enforced, sensitive data may be exposed to eavesdropping, which can lead to unauthorized data access or data breach.
Remediation:
1. Enforce Secure Transport on S3:
AWS Management Console:
- Navigate to the S3 service.
- Select the desired bucket.
- Go to Permissions > Bucket Policy.
- Add the following policy to enforce secure transport:
{
"Version": "2012-10-17",
"Id": "EnforceHTTPS",
"Statement": [
{
"Sid": "ForceHTTPSEncryption",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::<YOUR-BUCKET-NAME>/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
- Replace
<YOUR-BUCKET-NAME>
with the name of your S3 bucket.
AWS CLI:
# Save the above JSON policy to a file, e.g., secure-transport-policy.json
aws s3api put-bucket-policy --bucket <YOUR-BUCKET-NAME> --policy file://secure-transport-policy.json
Terraform:
resource "aws_s3_bucket" "bucket" {
bucket = "<YOUR-BUCKET-NAME>"
acl = "private"
# ... other configurations ...
policy = <<-POLICY
{
"Version": "2012-10-17",
"Id": "EnforceHTTPS",
"Statement": [
{
"Sid": "ForceHTTPSEncryption",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::${self.bucket}/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
POLICY
}
Replace <YOUR-BUCKET-NAME>
with the desired name of your S3 bucket.
Ensure that you always enforce secure transport when accessing S3 buckets. This minimizes the risk of unauthorized access or data eavesdropping.
Updated 2 months ago