S3 TLS deprecation on June 28th - Need help

Question

I have an entire file system of photos built over many years for my business which requires a large amount of publicly accessible files. Everything works from with my current setup but after researching this TLS upgrade and attempting to apply new "Bucket policy's" that force TLS v1.2 I notice my website does not load the images from the direct Amazon S3 public URL. Referencing the bucket policies listed in this article for testing: https://repost.aws/knowledge-center/s3-enforce-modern-tls

I'm not familiar with S3 security and permissions much and was hoping I would never have to make changes after spending a lot of time getting this working but now I'm really worried my entire website will go down on June 28th when the deprecation happens. I can't imagine accessing publicly available files in my bucket would stop working for this using the latest chrome browser but that seems to be the case and at this point I need to ensure there will be no interruption after June 28th.

Any help would be appreciated.

I'm going to setup a new bucket and try and configure it again to continue to research this but I could really use experts help.

Accepted Answer

It's not clear to me exactly how your bucket is being accessed by clients, but if its inbuilt static website hosting is used then it connects via http so need to include that alternate condition statement shown in https://repost.aws/knowledge-center/s3-enforce-modern-tls:

```
"Condition": {
        "Bool": {
            "aws:SecureTransport": "true"
        },
        "NumericLessThan": {
          "s3:TlsVersion": 1.2
        }
      }
```

In other words, insert that into the main policy provided so you end up with:

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EnforceTLSv12orHigher",
      "Principal": {
        "AWS": "*"
      },
      "Action": ["s3:*"],
      "Effect": "Deny",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
      ],
      "Condition": {
        "Bool": {
            "aws:SecureTransport": "true"
        },
        "NumericLessThan": {
          "s3:TlsVersion": 1.2
        }
      }
    }
  ]
}
```
And change the EXAMPLE lines of course.

However a better approach is to front-end your bucket with CloudFront which can then use a secure connection to the bucket, and allow secure connections by clients to CloudFront.  Doing away with http protects your users from main-in-the-middle attacks.  Your CloudFront distribution can allow pre-TLS1.2 if needed but this should be avoided.  See https://repost.aws/knowledge-center/s3-access-old-tls for example.

Note also that the "enforce 1.2" changes you're doing only apply if your bucket is being accessed over https (so not just via the inbuilt static website).  And they don't need to be done before the deprecation date - they are in effect bringing that date forward, making TLS <1.2 break now instead of later.  That can be a good thing to give you advance warning of what will break, you can then roll back while you fix what's broken.

Answer

Hi there!

I have a few questions:
1. Is your website hosted in AWS? An EC2 instance perhaps? 
2. Besides not seeing the images, when you open the browser developer tools, what errors do you see in the console? (those should be highlighted in red).

Thank you

Answer

How is your website hosted? Is it a public S3 bucket or hosted via an EC2 web server as such..

Please can you supply the policy you were trying to apply to your bucket, as you may have just miss wrote the policy

In theory you may not need to may any changes to your bucket policy as you are just enforcing this.

S3 TLS deprecation on June 28th - Need help

Relevant content