S3 SSL security hub check fails

Question

Hi,

ive put in a s3 bucket policy that I thought should cover the issue below:

[https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#s3-5-remediation](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#s3-5-remediation)

but the alert is not going, my policy is below

```
{
    "Version": "2012-10-17",
    "Id": "BUCKET-POLICY",
    "Statement": [
        {
            "Sid": "TerraformAccountAccessRole",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxx:role/TerraformAccountAccessRole"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::security-statefile/*",
                "arn:aws:s3:::security-statefile"
            ]
        },
        {
            "Sid": "EnforceTls",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::security-statefile/*",
                "arn:aws:s3:::security-statefile"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                },
                "NumericLessThan": {
                    "s3:TlsVersion": "1.2"
                }
            }
        }
    ]
}
```

Answer

Separating out the Deny policy into multiple statements will pass the Security Hub check. i.e. have the `"aws:SecureTransport": "false"` part on its own, and the `TlsVersion` in another statement.

Answer

Expanding a bit on the answer by Thomas: [the evaluation logic for multi-key conditions](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html#reference_policies_multiple-conditions-eval) follows logical `AND`. This means that your policy requires both conditions must evaluate to true in order to `DENY` access. The first condition checks if the transport is over SSL and the second checks if the TLS version is less than 1.2. From this you get that access is denied only when there is no SSL. But if one uses SSL then no matter what the TLS version is - the access will be granted. What you need is a bucket policy that evaluates both conditions as logical `OR` and this boils down to what Thomas wrote: you must put two, separate statements each with a single condition. Please, take a look at [this blog post](https://hands-on.cloud/terraform-how-to-enforce-tls-https-for-aws-s3-bucket/) where it is explained in depth.

S3 SSL security hub check fails

関連するコンテンツ