Detections
Analytics

3.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests

Information

At the Amazon S3 bucket level, permissions can be configured through a bucket policy to ensure objects are accessible only through HTTPS.

By default, Amazon S3 allows both HTTP and HTTPS requests. To ensure that access to S3 objects is only permitted through HTTPS, you must explicitly deny HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests do not meet this requirement.

Solution

From Console:

 - Sign in to the AWS Management Console and open the Amazon S3 console
 - Select the bucket
 - Select the Permissions tab
 - Select Bucket policy
 - Add one of the following statements to the policy

Deny HTTP requests:

{
 "Sid": <optional>,
 "Effect": "Deny",
 "Principal": "*",
 "Action": "s3:*",
 "Resource": "arn:aws:s3:::<bucket_name>/*",
 "Condition": {
 "Bool": {
 "aws:SecureTransport": "false"
 }
 }
}

Enforce TLS version:

{
 "Sid": "<optional>",
 "Effect": "Deny",
 "Principal": "*",
 "Action": "s3:*",
 "Resource": [
 "arn:aws:s3:::<bucket_name>",
 "arn:aws:s3:::<bucket_name>/*"
 ],
 "Condition": {
 "NumericLessThan": {
 "s3:TlsVersion": "1.2"
 }
 }
}
 - Save the policy
 - Repeat for all relevant buckets

From Console

Using AWS Policy Generator:

 - Repeat steps 1-4 above
 - Click on Policy Generator at the bottom of the Bucket Policy editor
 - Select S3 Bucket Policy as the policy type
 - Configure the statement:

 - Effect = Deny
 - Principal = *
 - AWS Service = Amazon S3
 - Actions = *
 - Amazon Resource Name = <ARN of the S3 Bucket>

 - Select Generate Policy
 - Copy the generated policy and add it to the bucket policy

From Command Line:

 - Export the existing policy, if one exists:

aws s3api get-bucket-policy --bucket <bucket_name> --query Policy --output text > policy.json

If the bucket does not already have a policy, create a new policy.json file containing a valid bucket policy document.

 - Modify policy.json to include one of the following deny statements within the Statement array.

Option 1: Deny HTTP requests

{
 "Sid": <optional>,
 "Effect": "Deny",
 "Principal": "*",
 "Action": "s3:*",
 "Resource": "arn:aws:s3:::<bucket_name>/*",
 "Condition": {
 "Bool": {
 "aws:SecureTransport": "false"
 }
 }
}

Option 2: Enforce minimum TLS version

{
 "Sid": "<optional>",
 "Effect": "Deny",
 "Principal": "*",
 "Action": "s3:*",
 "Resource": [
 "arn:aws:s3:::<bucket_name>",
 "arn:aws:s3:::<bucket_name>/*"
 ],
 "Condition": {
 "NumericLessThan": {
 "s3:TlsVersion": "1.2"
 }
 }
}
 - Apply the modified policy back to the S3 bucket:

aws s3api put-bucket-policy --bucket <bucket_name> --policy file://policy.json

Impact:

If HTTP access is not explicitly denied, data transmitted to and from S3 buckets may be exposed to interception or man-in-the-middle attacks.

See Also

https://workbench.cisecurity.org/benchmarks/24575

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: amazon_aws

Control ID: 22c2babb1bc15bc6d1d016f94dd16fd5d6dfbb71457193e011d58eb241732845