Use Amazon CloudWatch to check S3 bucket access logs for TLS 1.0 and TLS 1.1

Question

We recently received notification from Amazon regarding the identification of TLS 1.0 or TLS 1.1 connections to our S3 Bucket. Following the instructions provided in the links provided, we successfully enabled logging on our S3 Bucket and have saved a number of log files within the bucket. However, we encountered difficulties utilizing Amazon CloudWatch to effectively check and filter the log entries. Despite our efforts, we were unable to discern whether TLS 1.0 or TLS 1.1 connections are still active.

Also, we had a conversation with our website hosting provider, and they have confirmed that TLS 1.0 and TLS 1.1 are deprecated on their platform, with only TLS 1.2 and 1.3 currently in use.

Could you please provide us with detailed steps to verify if TLS 1.0 or TLS 1.1 connections are still active within our S3 Bucket?

Answer

You need to use Athena and not cloudwatch to query the S3 access logs and identify the TLS Version. The instructions can be found here https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-s3-access-logs-to-identify-requests.html

You can search for all requests for` "tlsversion" < '1.2'` . You can review and then if needed, enforce TLS 1.2 or above using an S3 Bucket Policy

As Such
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EnforceTLSv12orHigher",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "s3:*"
      ],
      "Effect": "Deny",
      "Resource": [
        "arn:aws:s3:::DOC_EXAMPLE_BUCKET/*",
        "arn:aws:s3:::DOC_EXAMPLE_BUCKET"
      ],
      "Condition": {
        "NumericLessThan": {
          "s3:TlsVersion": 1.2
        }
      }
    }
  ]
}
```

Use Amazon CloudWatch to check S3 bucket access logs for TLS 1.0 and TLS 1.1

Relevant content