S3 SSL security hub check fails

0

Hi,

ive put in a s3 bucket policy that I thought should cover the issue below:

https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#s3-5-remediation

but the alert is not going, my policy is below

{
    "Version": "2012-10-17",
    "Id": "BUCKET-POLICY",
    "Statement": [
        {
            "Sid": "TerraformAccountAccessRole",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxx:role/TerraformAccountAccessRole"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::security-statefile/*",
                "arn:aws:s3:::security-statefile"
            ]
        },
        {
            "Sid": "EnforceTls",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::security-statefile/*",
                "arn:aws:s3:::security-statefile"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                },
                "NumericLessThan": {
                    "s3:TlsVersion": "1.2"
                }
            }
        }
    ]
}
2 Answers
1

Separating out the Deny policy into multiple statements will pass the Security Hub check. i.e. have the "aws:SecureTransport": "false" part on its own, and the TlsVersion in another statement.

AWS
answered 2 years ago
0

Expanding a bit on the answer by Thomas: the evaluation logic for multi-key conditions follows logical AND. This means that your policy requires both conditions must evaluate to true in order to DENY access. The first condition checks if the transport is over SSL and the second checks if the TLS version is less than 1.2. From this you get that access is denied only when there is no SSL. But if one uses SSL then no matter what the TLS version is - the access will be granted. What you need is a bucket policy that evaluates both conditions as logical OR and this boils down to what Thomas wrote: you must put two, separate statements each with a single condition. Please, take a look at this blog post where it is explained in depth.

AWS
RafalP
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions