How do I enforce using TLS 1.2 or higher for my Amazon S3 buckets?

2 minute read
0

My customers use old TLS versions. I want to enforce using a recent TLS version when they access content that’s stored in my Amazon Simple Storage Service (Amazon S3) buckets. How do I enforce using TLS 1.2 or higher for my Amazon S3 buckets?

Short description

It’s a best practice to use modern encryption protocols for data in transit. You can enforce using TLS 1.2 or higher for connections to Amazon S3 by updating your bucket's security policy.

Note: If your customers don’t use TLS 1.2 or higher, then they can't access content that’s stored in your S3 buckets.

Resolution

You can enforce using TLS 1.2 or higher for all connections to your S3 buckets by using a resource-based policy attached to your bucket.

To set a bucket policy that requires TLS versions 1.2 or higher:

  1. Go to the S3 console.
  2. Select the bucket from the list.
  3. Navigate to the Permissions tab.
  4. Under Bucket Policy, select Edit.
  5. Add a policy to deny access to the encryption protocols that you want to prevent. For example, use the following policy to deny all HTTPS requests that use TLS versions lower than 1.2:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EnforceTLSv12orHigher",
      "Principal": {
        "AWS": "*"
      },
      "Action": ["s3:*"],
      "Effect": "Deny",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
      ],
      "Condition": {
        "NumericLessThan": {
          "s3:TlsVersion": 1.2
        }
      }
    }
  ]
}

Confirm that you are using modern encryption protocols for S3

To test your new policy, use the following example curl command to make HTTPS requests using a specific legacy protocol:

curl https://${BUCKET_NAME}.s3.us-east-1.amazonaws.com/image.png -v --tlsv1.0 --tls-max 1.0

The example curl command returns Access Denied as Amazon S3 detects your request is not using TLS 1.2 or higher.

It’s a best practice to use AWS CloudTrail Lake to identify older TLS connections to AWS service endpoints. You can configure the CloudTrail Lake event data store to capture management events or data events. The corresponding CloudTrail event in CloudTrail Lake shows a TLS version of 1.2, confirming that your customers use a modern security policy to connect to Amazon S3.


AWS OFFICIAL
AWS OFFICIALUpdated 5 months ago
6 Comments

@ePost-User-4212034 : You need to replace the placeholder DOC-EXAMPLE-BUCKET in the policy with your bucket name. Otherwise you will get the error.

AWS
replied 2 months ago

When I enter the policy shown in this article, and then click the "Save Changes" button, I receive the error "policy has invalid resource".

replied 2 months ago

Hi, I'm having issue while upload file using above permissions in php.

Tesing Bucket name: testme

Content added in bucket permission: { "Version": "2012-10-17", "Statement": [ { "Sid": "EnforceTLSv12orHigher", "Effect": "Deny", "Principal": { "AWS": "" }, "Action": "s3:", "Resource": [
"arn:aws:s3:::testme" ], "Condition": { "NumericLessThan": { "s3:TlsVersion": "1.2" } } } ] }

Code sample PHP : if($s3->putObjectFile($tmp, $bucket , $foldername , S3::ACL_PUBLIC_READ) )

Should do anything more to allow file upload from my php server to s3 bucket?

abhishek@myshala.com

replied a month ago

@DevinF: Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile picture
AWS
MODERATOR
replied a month ago

Hello, @abhishek: Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile picture
AWS
MODERATOR
replied a month ago

Is there an appropriate command that would indicate that the S3 bucket is correctly using TLS 1.2 rather than just validating that its not using <1.2 TLS

This still gave me access denied curl https://${BUCKET_NAME}.s3.us-east-1.amazonaws.com/image.png -v --tlsv1.2 --tls-max 1.2

DevinF
replied 2 months ago