- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
Separating out the Deny policy into multiple statements will pass the Security Hub check. i.e. have the "aws:SecureTransport": "false"
part on its own, and the TlsVersion
in another statement.
Expanding a bit on the answer by Thomas: the evaluation logic for multi-key conditions follows logical AND
. This means that your policy requires both conditions must evaluate to true in order to DENY
access. The first condition checks if the transport is over SSL and the second checks if the TLS version is less than 1.2. From this you get that access is denied only when there is no SSL. But if one uses SSL then no matter what the TLS version is - the access will be granted. What you need is a bucket policy that evaluates both conditions as logical OR
and this boils down to what Thomas wrote: you must put two, separate statements each with a single condition. Please, take a look at this blog post where it is explained in depth.
Contenuto pertinente
- AWS UFFICIALEAggiornata un anno fa
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata 9 mesi fa