Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

S3 SSL security hub check fails

0

Hi,

ive put in a s3 bucket policy that I thought should cover the issue below:

https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#s3-5-remediation

but the alert is not going, my policy is below

{
    "Version": "2012-10-17",
    "Id": "BUCKET-POLICY",
    "Statement": [
        {
            "Sid": "TerraformAccountAccessRole",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxx:role/TerraformAccountAccessRole"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::security-statefile/*",
                "arn:aws:s3:::security-statefile"
            ]
        },
        {
            "Sid": "EnforceTls",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::security-statefile/*",
                "arn:aws:s3:::security-statefile"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                },
                "NumericLessThan": {
                    "s3:TlsVersion": "1.2"
                }
            }
        }
    ]
}
Tópicos
ArmazenamentoSegurança, identidade e conformidade
Tags
Serviço de armazenamento simples da AmazonAWS Identity and Access ManagementHub de segurança da AWS
Idioma
English
rePost-User-2430939
feita há 2 anos469 visualizações
2 Respostas
1

Separating out the Deny policy into multiple statements will pass the Security Hub check. i.e. have the "aws:SecureTransport": "false" part on its own, and the TlsVersion in another statement.

AWS
Thomas_M
respondido há 2 anos
0

Expanding a bit on the answer by Thomas: the evaluation logic for multi-key conditions follows logical AND. This means that your policy requires both conditions must evaluate to true in order to DENY access. The first condition checks if the transport is over SSL and the second checks if the TLS version is less than 1.2. From this you get that access is denied only when there is no SSL. But if one uses SSL then no matter what the TLS version is - the access will be granted. What you need is a bucket policy that evaluates both conditions as logical OR and this boils down to what Thomas wrote: you must put two, separate statements each with a single condition. Please, take a look at this blog post where it is explained in depth.

AWS
RafalP
respondido há 2 anos

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante