AWS S3 Does Not Enforce Secure Transport
Description:
Amazon Simple Storage Service (S3) provides the ability to ensure that data in transit to and from the S3 bucket is encrypted using Secure Sockets Layer (SSL)/Transport Layer Security (TLS). If secure transport is not enforced, sensitive data may be exposed to eavesdropping, which can lead to unauthorized data access or data breach.
Remediation:
1. Enforce Secure Transport on S3:
AWS Management Console:
- Navigate to the S3 service.
- Select the desired bucket.
- Go to Permissions > Bucket Policy.
- Add the following policy to enforce secure transport:
{
"Version": "2012-10-17",
"Id": "EnforceHTTPS",
"Statement": [
{
"Sid": "ForceHTTPSEncryption",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::<YOUR-BUCKET-NAME>/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}- Replace
<YOUR-BUCKET-NAME>with the name of your S3 bucket.
AWS CLI:
# Save the above JSON policy to a file, e.g., secure-transport-policy.json
aws s3api put-bucket-policy --bucket <YOUR-BUCKET-NAME> --policy file://secure-transport-policy.jsonTerraform:
resource "aws_s3_bucket" "bucket" {
bucket = "<YOUR-BUCKET-NAME>"
acl = "private"
# ... other configurations ...
policy = <<-POLICY
{
"Version": "2012-10-17",
"Id": "EnforceHTTPS",
"Statement": [
{
"Sid": "ForceHTTPSEncryption",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::${self.bucket}/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
POLICY
}Replace <YOUR-BUCKET-NAME> with the desired name of your S3 bucket.
Ensure that you always enforce secure transport when accessing S3 buckets. This minimizes the risk of unauthorized access or data eavesdropping.
Updated about 2 months ago