Why doesn't S3 respect the TLS settings in my IAM policy?

2 minute read

Securing your data using IAM policies

In order to keep their data secure, many customers prefer to use specific versions of Transport Layer Security (TLS). For customers using S3, there is a IAM condition key that restricts connections to specific TLS versions.

It was noted that even with this condition key enabled and restricting connections to TLS v1.3, a scan of S3 using an automated security tool showed that earlier TLS versions (v1.0, v1.1 and v1.2) were still available. The question was therefore: Why is this so? If I've only allowed TLS v1.3 connections for my IAM users and roles, why can they still connect to S3 with earlier versions?

S3 is a multi-tenant service and it also allows for anonymous access if configured to do so. When customers configure an IAM policy they aren't configuring the entire service; they are setting specific conditions for those users and roles. The security tool mentioned above connects to the S3 service and reports back what TLS versions it offers; but it doesn't identify itself as an IAM user, therefore the IAM condition (restricting TLS versions) never gets applied.

In order to test this properly, the tool must connect to S3; send a request that matches the IAM policy; and sign the request using the appropriate IAM credentials. Only then can the service properly match the request to the permissions that have been defined.

If a user or application connects uses (say) TLS v1.1 and sends the request it will be denied because the condition key requires a higher TLS version. No data will be transferred because the connection will be closed.

Using the s3:TLSVersion condition key ensures that data sent to or received from S3 uses the TLS version specified in the IAM policy.

profile picture
published 4 months ago424 views