Policy bucket force SSL

Question

Hello, I would like to know how I can insert a policy in a bucket to accept only SSL connections. I used this policy model below and from testing it did not work.

{
    "Version": "2012-10-17",
    "Statement": [{
        "Sid": "RestrictToTLSRequestsOnly",
        "Action": "s3:*",
        "Effect": "Deny",
        "Resource": [
            "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
            "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
        ],
        "Condition": {
            "Bool": {
                "aws:SecureTransport": "false"
            }
        },
        "Principal": "*"
    }]
}

Accepted Answer

Hello.

I think you can limit access to only HTTPS by setting the bucket policy described in the document below.  
https://repost.aws/knowledge-center/s3-bucket-policy-for-config-rule  
```
{
  "Id": "ExamplePolicy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSSLRequestsOnly",
      "Action": "s3:*",
      "Effect": "Deny",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      },
      "Principal": "*"
    }
  ]
}
```
You can check the settings by running the following command.  
You can confirm that if you explicitly send a request via HTTP with "--endpoint-url", it will be rejected.  
```
# Success
aws s3 ls s3://s3-bucket-name/ --endpoint-url https://s3.ap-northeast-1.amazonaws.com

# Fail
aws s3 ls s3://s3-bucket-name/ --endpoint-url http://s3.ap-northeast-1.amazonaws.com
```

Answer

It looks like you have followed this, but missed a couple of wildcards https://repost.aws/knowledge-center/s3-bucket-policy-for-config-rule

Your `"Action": "s3:",` entry should be `"Action": "s3:*",`

Similarly `"arn:aws:s3:::DOC-EXAMPLE-BUCKET/"` needs to be `"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"`

(I think it's the first one that is more important)

Policy bucket force SSL

Relevant content