How to restrict s3 to latest TLS ?

Hi,

The following Knowledge Center article describes how to enforce using TLS 1.2 or higher for Amazon S3 buckets. I hope this helps you.

Resolution You can enforce using TLS 1.2 or higher for all connections to your S3 buckets by using a resource-based policy attached to your bucket.

To set a bucket policy that requires TLS versions 1.2 or higher:

Go to the S3 console. Select the bucket from the list. Navigate to the Permissions tab. Under Bucket Policy, select Edit. Add a policy to deny access to the encryption protocols that you want to prevent. For example, use the following policy to deny all HTTPS requests that use TLS versions lower than 1.2: { "Version": "2012-10-17", "Statement": [ { "Sid": "EnforceTLSv12orHigher", "Principal": { "AWS": "" }, "Action": ["s3:"], "Effect": "Deny", "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*", "arn:aws:s3:::DOC-EXAMPLE-BUCKET" ], "Condition": { "NumericLessThan": { "s3:TlsVersion": 1.2 } } } ] } Confirm that you are using modern encryption protocols for S3 To test your new policy, use the following example curl command to make HTTPS requests using a specific legacy protocol:

curl https://${BUCKET_NAME}.s3.us-east-1.amazonaws.com/image.png -v --tlsv1.0 --tls-max 1.0 The example curl command returns Access Denied as Amazon S3 detects your request is not using TLS 1.2 or higher.

It’s a best practice to use AWS CloudTrail Lake to identify older TLS connections to AWS service endpoints. You can configure the CloudTrail Lake event data store to capture management events or data events. The corresponding CloudTrail event in CloudTrail Lake shows a TLS version of 1.2, confirming that your customers use a modern security policy to connect to Amazon S3.