By using AWS re:Post, you agree to the Terms of Use
/S3 SSL security hub check fails/

S3 SSL security hub check fails

0

Hi,

ive put in a s3 bucket policy that I thought should cover the issue below:

https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#s3-5-remediation

but the alert is not going, my policy is below

{
    "Version": "2012-10-17",
    "Id": "BUCKET-POLICY",
    "Statement": [
        {
            "Sid": "TerraformAccountAccessRole",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxx:role/TerraformAccountAccessRole"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::security-statefile/*",
                "arn:aws:s3:::security-statefile"
            ]
        },
        {
            "Sid": "EnforceTls",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::security-statefile/*",
                "arn:aws:s3:::security-statefile"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                },
                "NumericLessThan": {
                    "s3:TlsVersion": "1.2"
                }
            }
        }
    ]
}
1 Answers
0

Separating out the Deny policy into multiple statements will pass the Security Hub check. i.e. have the "aws:SecureTransport": "false" part on its own, and the TlsVersion in another statement.

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions