Does it matter if it is set to string "false"
or actual boolean false
?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
When I try to apply this policy, I get an error stating that it grants a level of public access that conflicts with my "Block Public Access" settings. I have "Block all public access" set, but I also want to block access from insecure transports. How can I enforce HTTPS for restapi requests?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
For the second example, where we allow public access with GetObject
, to remain compliant with AWS Config s3-bucket-ssl-requests-only
rule, we have to also include the first example as the second statement, so deny anything that is not secureTransport
.
Hi Team,
For the "Deny" & "aws:SecureTransport":"true" example, under the actions section there is s3.* rather can we be more specific on what actions are actually required for this aws:SecureTransport to work?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Does it matter if it is set to string "false" or actual boolean false?
yes, the bucket policy supports JSON so it should be a string i.e. "false"
You might have setup policy Action as "Allow" instead of Deny. Please re-check the policy and share it with us if you are still facing the same issue.
The second policy is not complying with ssl only requests. Instead the statement allows anonymous access to s3:GetObject for all objects in the bucket if the request uses HTTPS.
You have to deny all request to S3 i.e. s3:* if you want only ssl requests are made to S3 bucket.
Note that instead of manually creating a policy and attaching it to a bucket, S3Bucket CDK construct supports a single flag enforceSSL: true
which will do that for you. See https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html#enforcessl
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Would it be possible to show how we can implement this solution using AWS CDK?
EDIT: If anyone comes across this thread before the article is updated this is the solution I ended up with. Note that I don't understand the Principals
part of this. I tried to use new AnyPrincipal()
which I saw several examples of, but this gave me access denied error. If what I've done makes sense, maybe someone who understands it better could explain the implementation.
My comment was too long to post in one comment, so the code is in a comment below
EDIT2: I just realized from Alex's answer above that including the EnforceSSL = true
in my code below is redundant when also adding the resource policy. Would be nice to get this confirmed/refute this.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
var myBucket = new Bucket(this, "MyBucket", new BucketProps
{
BucketName = $"bucket-name",
EnforceSSL = true
});
// Define the bucket policies to deny non-HTTPS connections and allow read access to all objects
myBucket.AddToResourcePolicy(new PolicyStatement(new PolicyStatementProps
{
Actions = ["s3:*"],
Effect = Effect.DENY,
Principals = [new ServicePrincipal("s3.amazonaws.com")],
Resources = [myBucket .BucketArn + "/*"],
Conditions = new Dictionary<string, object>
{
{ "Bool", new Dictionary<string, object> { { "aws:SecureTransport", false } } }
}
}));
myBucket.AddToResourcePolicy(new PolicyStatement(new PolicyStatementProps
{
Actions = ["s3:GetObject"],
Effect = Effect.ALLOW,
Principals = [new ServicePrincipal("s3.amazonaws.com")],
Resources = [myBucket.BucketArn + "/*"],
Conditions = new Dictionary<string, object>
{
{ "Bool", new Dictionary<string, object> { { "aws:SecureTransport", true } } }
}
}));```
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Is this config rule still necessary now that S3 requires TLS1.2? https://aws.amazon.com/blogs/storage/enforcing-encryption-in-transit-with-tls1-2-or-higher-with-amazon-s3/#:~:text=Update%20April%208%2C%202024:%20As,complete%20by%20December%2031%2C%202023
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 6 months ago
- asked 3 years ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 months ago