En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

S3 SSL security hub check fails

0

Hi,

ive put in a s3 bucket policy that I thought should cover the issue below:

https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#s3-5-remediation

but the alert is not going, my policy is below

{
    "Version": "2012-10-17",
    "Id": "BUCKET-POLICY",
    "Statement": [
        {
            "Sid": "TerraformAccountAccessRole",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxx:role/TerraformAccountAccessRole"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::security-statefile/*",
                "arn:aws:s3:::security-statefile"
            ]
        },
        {
            "Sid": "EnforceTls",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::security-statefile/*",
                "arn:aws:s3:::security-statefile"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                },
                "NumericLessThan": {
                    "s3:TlsVersion": "1.2"
                }
            }
        }
    ]
}
Sujets
StockageSécurité, identité et conformité
Balises
Simple service de stockage AmazonGestion des identités et des accès AWSHub de sécurité AWS
Langue
English
rePost-User-2430939
demandé il y a 2 ans469 vues
2 réponses
1

Separating out the Deny policy into multiple statements will pass the Security Hub check. i.e. have the "aws:SecureTransport": "false" part on its own, and the TlsVersion in another statement.

AWS
Thomas_M
répondu il y a 2 ans
0

Expanding a bit on the answer by Thomas: the evaluation logic for multi-key conditions follows logical AND. This means that your policy requires both conditions must evaluate to true in order to DENY access. The first condition checks if the transport is over SSL and the second checks if the TLS version is less than 1.2. From this you get that access is denied only when there is no SSL. But if one uses SSL then no matter what the TLS version is - the access will be granted. What you need is a bucket policy that evaluates both conditions as logical OR and this boils down to what Thomas wrote: you must put two, separate statements each with a single condition. Please, take a look at this blog post where it is explained in depth.

AWS
RafalP
répondu il y a 2 ans

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents