What S3 bucket policy can I use to comply with the AWS Config rule s3-bucket-ssl-requests-only?
I activated the AWS Config rule “s3-bucket-ssl-requests-only” for Amazon Simple Storage Service (Amazon S3) bucket policies to require encryption during data transit. I want to make sure that my bucket policies comply with this rule.
Resolution
Note: Amazon S3 offers encryption in transit and encryption at rest. Encryption in transit refers to HTTPS, and encryption at rest refers to client-side or server-side encryption.
Amazon S3 allows both HTTP and HTTPS requests. By default, Amazon S3 makes requests through the AWS Management Console, the AWS Command Line Interface (AWS CLI), or HTTPS.
To comply with the s3-bucket-ssl-requests-only rule, confirm that your bucket policies explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests but don't explicitly deny HTTP requests might not comply with the rule.
To determine HTTP or HTTPS requests in a bucket policy, use a condition that checks for the key "aws:SecureTransport". When this key is true, then Amazon S3 sends the request through HTTPS. To comply with the s3-bucket-ssl-requests-only rule, create a bucket policy that explicitly denies access when the request meets the condition "aws:SecureTransport": "false". This policy explicitly denies access to HTTP requests.
Bucket policy that complies with s3-bucket-ssl-requests-only rule
This example bucket policy complies with the s3-bucket-ssl-requests-only rule. This policy explicitly denies all actions on the bucket and objects when the request meets the condition "aws:SecureTransport": "false":
{ "Id": "ExamplePolicy", "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSSLRequestsOnly", "Action": "s3:*", "Effect": "Deny", "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Principal": "*" } ] }
Bucket policy that doesn't comply with s3-bucket-ssl-requests-only rule
This bucket policy doesn't comply with the s3-bucket-ssl-requests-only rule. Instead of an explicit deny statement, the policy allows access to requests that meet the condition "aws:SecureTransport": "true". This statement allows anonymous access to s3:GetObject for all objects in the bucket if the request uses HTTPS. Avoid this type of bucket policy unless your use case requires anonymous access through HTTPS:
{ "Id": "ExamplePolicy", "Version": "2012-10-17", "Statement": [ { "Sid": "NOT-RECOMMENDED-FOR__AWSCONFIG-Rule_s3-bucket-ssl-requests-only", "Action": "s3:GetObject", "Effect": "Allow", "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ], "Condition": { "Bool": { "aws:SecureTransport": "true" } }, "Principal": "*" } ] }
Related information
How to use bucket policies and apply defense-in-depth to help secure your Amazon S3 data
Does it matter if it is set to string "false" or actual boolean false?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
When I try to apply this policy, I get an error stating that it grants a level of public access that conflicts with my "Block Public Access" settings. I have "Block all public access" set, but I also want to block access from insecure transports. How can I enforce HTTPS for restapi requests?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
For the second example, where we allow public access with GetObject, to remain compliant with AWS Config s3-bucket-ssl-requests-only rule, we have to also include the first example as the second statement, so deny anything that is not secureTransport.
Hi Team,
For the "Deny" & "aws:SecureTransport":"true" example, under the actions section there is s3.* rather can we be more specific on what actions are actually required for this aws:SecureTransport to work?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Does it matter if it is set to string "false" or actual boolean false?
yes, the bucket policy supports JSON so it should be a string i.e. "false"
You might have setup policy Action as "Allow" instead of Deny. Please re-check the policy and share it with us if you are still facing the same issue.
The second policy is not complying with ssl only requests. Instead the statement allows anonymous access to s3:GetObject for all objects in the bucket if the request uses HTTPS.
You have to deny all request to S3 i.e. s3:* if you want only ssl requests are made to S3 bucket.
Relevant content
- Accepted Answerasked 10 months ago
- asked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 8 months ago
