Does the TLS 1.2 requirement also retire http requests

I am looking into a notification that we are accessing our S3 bucket via a non support TLS version, however, going through all the access logs, the only non TLS1.2 requests are - as they are plain http requests.

Is the TLS 1.2 requirement also deprecating http requests?

Topics

Storage Internet of Things (IoT)

Tags

Amazon Simple Storage Service Transport Layer Security (TLS)

Language

English

AWS-User-8443772

asked 9 months ago224 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

No, HTTP is still a supported protocol for S3, see: Amazon Simple Storage Service endpoints and quotas.

But you can disable the HTTP protocol using a condition in your IAM policies. Example:

{
  "Id": "ExamplePolicy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSSLRequestsOnly",
      "Action": "s3:*",
      "Effect": "Deny",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      },
      "Principal": "*"
    }
  ]
}

EXPERT

kentrad

answered 9 months ago

AWS-User-8443772
9 months ago
Thanks for the information. I received a notification on my AWS Health Dashboard "Security tls deprecation notification". I am going through the AWS S3 bucket access logs and cannot find any that aren't - or tls1.2. Under Affected Resources there is just 1 listed. Does that mean only one bucket is affected or there has only been one request to that one bucket that would be affected?
kentrad EXPERT
9 months ago
"Affected Resource" would refer to the bucket. Not sure how many requests to that bucket that involves.
AWS-User-8443772
9 months ago
Thanks again - is there an easy way to see the number of non tls 1.2 or http requests made without going through every object in the s3 logs bucket and checking?
kentrad EXPERT
9 months ago
I would use Athena to query these logs. https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-s3-access-logs-to-identify-requests.html
AWS-User-8443772
9 months ago
Thanks again, I really appreciate it. Unfortunately, every step I take I hit another roadblock. I'm getting the slow down error https://repost.aws/questions/QU2JCqkDnLStC-HowHqYN6xA/athena-query-error. Is there any way to pass in a date range for creation of the S3 objects to be searched? Or another way to "stagger" the search. I got around 1/12 of the way through the data searched before it errored out.

Relevant content

How to check S3 bucket access logs in Cloudwatch to determine TLS versions?
Accepted Answer
Uday
asked 22 days ago
TLS 1.2 Action Required Notification
Steve
asked 7 months ago
Use Amazon CloudWatch to check S3 bucket access logs for TLS 1.0 and TLS 1.1
Wisdm2824
asked 2 months ago
S3 Transfer Acceleration + older TLS versions
Accepted Answer
sonny
asked a year ago
Can I push server access logs about an Amazon S3 bucket into the same bucket?
AWS OFFICIALUpdated 7 months ago
How do I allow access to my Amazon S3 buckets to customers who do not use TLS 1.2 or higher?
AWS OFFICIALUpdated 2 years ago
How do I enforce TLS 1.2 or later for my Amazon S3 buckets?
AWS OFFICIALUpdated 9 months ago
How do I troubleshoot HTTP 403 Forbidden errors from an API Gateway custom domain name that requires mutual TLS?
AWS OFFICIALUpdated 6 months ago
How do I find the SMTP clients using deprecated TLS versions?
EXPERT
Jonathan_D
published 6 months ago
Why doesn't S3 respect the TLS settings in my IAM policy?
EXPERT
Brettski-AWS
published 2 years ago