S3 Buckets Should Have A Secure Transport Policy
AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
S3 Buckets Should Have A Secure Transport Policy
More Info:
AWS S3 buckets should enforce encryption of data over the network (as it travels to and from Amazon S3) using Secure Sockets Layer (SSL).
Risk Level
Critical
Address
Security
Compliance Standards
HIPAA, CISAWS, CBP, GDPR, NIST, SOC2, PCIDSS, ISO27001, AWSWAF, HITRUST, NISTCSF
Triage and Remediation
Remediation
- Open the AWS S3 Console.
- Navigate to the specific S3 bucket for which you want to enforce secure transport.
- Click on the “Permissions” tab.
- Scroll down to the “Bucket policy” section.
- Edit the bucket policy to enforce the use of HTTPS.
Here is an example policy snippet to enforce HTTPS:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "*",
"Resource": [
"arn:aws:s3:::YOUR_BUCKET_NAME/*",
"arn:aws:s3:::YOUR_BUCKET_NAME"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
Alternate option
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": [
"arn:aws:s3:::YOUR_BUCKET_NAME/*",
"arn:aws:s3:::YOUR_BUCKET_NAME"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}
Replace YOUR_BUCKET_NAME with the name of your S3 bucket.
# Run the following AWS CLI command to update the bucket policy to enforce HTTPS
aws s3api put-bucket-policy --bucket YOUR_BUCKET_NAME --policy '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "*",
"Resource": ["arn:aws:s3:::YOUR_BUCKET_NAME/*", "arn:aws:s3:::YOUR_BUCKET_NAME"],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}'
Alternate Option
# Run the following AWS CLI command to update the bucket policy to enforce HTTPS
aws s3api put-bucket-policy --bucket YOUR_BUCKET_NAME --policy '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": ["arn:aws:s3:::YOUR_BUCKET_NAME/*", "arn:aws:s3:::YOUR_BUCKET_NAME"],
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}'
Replace YOUR_BUCKET_NAME with the name of your S3 bucket.
import boto3
def remediate_s3_secure_transport_policy(bucket_name, aws_access_key_id, aws_secret_access_key, region):
# Create an S3 client
s3_client = boto3.client('s3', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, region_name=region)
# Bucket policy to enforce secure transport (HTTPS)
bucket_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "*",
"Resource": [
f"arn:aws:s3:::{bucket_name}/*",
f"arn:aws:s3:::{bucket_name}"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
# Apply the bucket policy
s3_client.put_bucket_policy(
Bucket=bucket_name,
Policy=json.dumps(bucket_policy)
)
print(f"Secure transport policy (HTTPS) enforced for S3 bucket: {bucket_name}")
# Example usage
bucket_name = 'YOUR_BUCKET_NAME'
aws_access_key_id = 'YOUR_ACCESS_KEY'
aws_secret_access_key = 'YOUR_SECRET_KEY'
region = 'us-east-1' # Replace with your desired region
remediate_s3_secure_transport_policy(bucket_name, aws_access_key_id, aws_secret_access_key, region)
Alternate option
import boto3
def remediate_s3_secure_transport_policy(bucket_name, aws_access_key_id, aws_secret_access_key, region):
# Create an S3 client
s3_client = boto3.client('s3', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, region_name=region)
# Bucket policy to enforce secure transport (HTTPS)
bucket_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": [
f"arn:aws:s3:::{bucket_name}/*",
f"arn:aws:s3:::{bucket_name}"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}
# Apply the bucket policy
s3_client.put_bucket_policy(
Bucket=bucket_name,
Policy=json.dumps(bucket_policy)
)
print(f"Secure transport policy (HTTPS) enforced for S3 bucket: {bucket_name}")
# Example usage
bucket_name = 'YOUR_BUCKET_NAME'
aws_access_key_id = 'YOUR_ACCESS_KEY'
aws_secret_access_key = 'YOUR_SECRET_KEY'
region = 'us-east-1' # Replace with your desired region
remediate_s3_secure_transport_policy(bucket_name, aws_access_key_id, aws_secret_access_key, region)
Replace YOUR_BUCKET_NAME, YOUR_ACCESS_KEY, YOUR_SECRET_KEY, and update the region with your desired region in the Python script. Run the script, and it will enforce the use of HTTPS for the specified S3 bucket. Make sure to install the boto3 library if you haven’t already:
pip install boto3
Note: Ensure that you have the necessary permissions to make these changes, and exercise caution when applying changes to production environments.