- 최신
- 최다 투표
- 가장 많은 댓글
It's not clear to me exactly how your bucket is being accessed by clients, but if its inbuilt static website hosting is used then it connects via http so need to include that alternate condition statement shown in https://repost.aws/knowledge-center/s3-enforce-modern-tls:
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
},
"NumericLessThan": {
"s3:TlsVersion": 1.2
}
}
In other words, insert that into the main policy provided so you end up with:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceTLSv12orHigher",
"Principal": {
"AWS": "*"
},
"Action": ["s3:*"],
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
},
"NumericLessThan": {
"s3:TlsVersion": 1.2
}
}
}
]
}
And change the EXAMPLE lines of course.
However a better approach is to front-end your bucket with CloudFront which can then use a secure connection to the bucket, and allow secure connections by clients to CloudFront. Doing away with http protects your users from main-in-the-middle attacks. Your CloudFront distribution can allow pre-TLS1.2 if needed but this should be avoided. See https://repost.aws/knowledge-center/s3-access-old-tls for example.
Note also that the "enforce 1.2" changes you're doing only apply if your bucket is being accessed over https (so not just via the inbuilt static website). And they don't need to be done before the deprecation date - they are in effect bringing that date forward, making TLS <1.2 break now instead of later. That can be a good thing to give you advance warning of what will break, you can then roll back while you fix what's broken.
Hi there!
I have a few questions:
- Is your website hosted in AWS? An EC2 instance perhaps?
- Besides not seeing the images, when you open the browser developer tools, what errors do you see in the console? (those should be highlighted in red).
Thank you
Thank you all for the answers, I think I have it resolved. The bucket policy was not correct.
How is your website hosted? Is it a public S3 bucket or hosted via an EC2 web server as such..
Please can you supply the policy you were trying to apply to your bucket, as you may have just miss wrote the policy
In theory you may not need to may any changes to your bucket policy as you are just enforcing this.
Thank you all for the answers, I think I have it resolved. The bucket policy was not correct.
관련 콘텐츠
- AWS 공식업데이트됨 3년 전
Thank you all for the answers, I think I have it resolved. The bucket policy was not correct.