What S3 bucket policy can I use to comply with the AWS Config rule s3-bucket-ssl-requests-only?

2 minute read
1

I activated the AWS Config rule “s3-bucket-ssl-requests-only” for Amazon Simple Storage Service (Amazon S3) bucket policies to require encryption during data transit. I want to make sure that my bucket policies comply with this rule.

Resolution

Note: Amazon S3 offers encryption in transit and encryption at rest. Encryption in transit refers to HTTPS, and encryption at rest refers to client-side or server-side encryption.

Amazon S3 allows both HTTP and HTTPS requests. By default, Amazon S3 makes requests through the AWS Management Console, the AWS Command Line Interface (AWS CLI), or HTTPS.

To comply with the s3-bucket-ssl-requests-only rule, confirm that your bucket policies explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests but don't explicitly deny HTTP requests might not comply with the rule.

To determine HTTP or HTTPS requests in a bucket policy, use a condition that checks for the key "aws:SecureTransport". When this key is true, then Amazon S3 sends the request through HTTPS. To comply with the s3-bucket-ssl-requests-only rule, create a bucket policy that explicitly denies access when the request meets the condition "aws:SecureTransport": "false". This policy explicitly denies access to HTTP requests.

Bucket policy that complies with s3-bucket-ssl-requests-only rule

This example bucket policy complies with the s3-bucket-ssl-requests-only rule. This policy explicitly denies all actions on the bucket and objects when the request meets the condition "aws:SecureTransport": "false":

{
  "Id": "ExamplePolicy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSSLRequestsOnly",
      "Action": "s3:*",
      "Effect": "Deny",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      },
      "Principal": "*"
    }
  ]
}

Bucket policy that doesn't comply with s3-bucket-ssl-requests-only rule

This bucket policy doesn't comply with the s3-bucket-ssl-requests-only rule. Instead of an explicit deny statement, the policy allows access to requests that meet the condition "aws:SecureTransport": "true". This statement allows anonymous access to s3:GetObject for all objects in the bucket if the request uses HTTPS. Avoid this type of bucket policy unless your use case requires anonymous access through HTTPS:

{
  "Id": "ExamplePolicy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "NOT-RECOMMENDED-FOR__AWSCONFIG-Rule_s3-bucket-ssl-requests-only",
      "Action": "s3:GetObject",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "true"
        }
      },
      "Principal": "*"
    }
  ]
}

Related information

How to use bucket policies and apply defense-in-depth to help secure your Amazon S3 data

AWS OFFICIAL
AWS OFFICIALUpdated 6 months ago
13 Comments

Does it matter if it is set to string "false" or actual boolean false?

AWS
Rt
replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

When I try to apply this policy, I get an error stating that it grants a level of public access that conflicts with my "Block Public Access" settings. I have "Block all public access" set, but I also want to block access from insecure transports. How can I enforce HTTPS for restapi requests?

abh555
replied 10 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 10 months ago

For the second example, where we allow public access with GetObject, to remain compliant with AWS Config s3-bucket-ssl-requests-only rule, we have to also include the first example as the second statement, so deny anything that is not secureTransport.

ppab-sp
replied 10 months ago

Hi Team,

For the "Deny" & "aws:SecureTransport":"true" example, under the actions section there is s3.* rather can we be more specific on what actions are actually required for this aws:SecureTransport to work?

replied 7 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 7 months ago

Does it matter if it is set to string "false" or actual boolean false?

yes, the bucket policy supports JSON so it should be a string i.e. "false"

AWS
SUPPORT ENGINEER
replied 6 months ago
AWS
SUPPORT ENGINEER
replied 6 months ago

For the second example, where we allow public access with GetObject, to remain compliant with AWS Config s3-bucket-ssl-requests-only rule, we have to also include the first example as the second statement, so deny anything that is not secureTransport.

The second policy is not complying with ssl only requests. Instead the statement allows anonymous access to s3:GetObject for all objects in the bucket if the request uses HTTPS.

AWS
SUPPORT ENGINEER
replied 6 months ago
AWS
SUPPORT ENGINEER
replied 6 months ago

Note that instead of manually creating a policy and attaching it to a bucket, S3Bucket CDK construct supports a single flag enforceSSL: true which will do that for you. See https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html#enforcessl

AWS
Alex
replied 2 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 2 months ago