S3 https remediation

Triage and Remediation

Remediation

Using Console

Open the AWS S3 Console.
Navigate to the specific S3 bucket for which you want to enforce secure transport.
Click on the “Permissions” tab.
Scroll down to the “Bucket policy” section.
Edit the bucket policy to enforce the use of HTTPS.

Here is an example policy snippet to enforce HTTPS:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "*",
            "Resource": [
                "arn:aws:s3:::YOUR_BUCKET_NAME/*",
                "arn:aws:s3:::YOUR_BUCKET_NAME"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

Replace YOUR_BUCKET_NAME with the name of your S3 bucket.

Using CLI

# Run the following AWS CLI command to update the bucket policy to enforce HTTPS
aws s3api put-bucket-policy --bucket YOUR_BUCKET_NAME --policy '{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "*",
      "Resource": ["arn:aws:s3:::YOUR_BUCKET_NAME/*", "arn:aws:s3:::YOUR_BUCKET_NAME"],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}'

Replace YOUR_BUCKET_NAME with the name of your S3 bucket.

Using Python

import boto3

def remediate_s3_secure_transport_policy(bucket_name, aws_access_key_id, aws_secret_access_key, region):
    # Create an S3 client
    s3_client = boto3.client('s3', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, region_name=region)

    # Bucket policy to enforce secure transport (HTTPS)
    bucket_policy = {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Deny",
                "Principal": "*",
                "Action": "*",
                "Resource": [
                    f"arn:aws:s3:::{bucket_name}/*",
                    f"arn:aws:s3:::{bucket_name}"
                ],
                "Condition": {
                    "Bool": {
                        "aws:SecureTransport": "false"
                    }
                }
            }
        ]
    }

    # Apply the bucket policy
    s3_client.put_bucket_policy(
        Bucket=bucket_name,
        Policy=json.dumps(bucket_policy)
    )

    print(f"Secure transport policy (HTTPS) enforced for S3 bucket: {bucket_name}")

# Example usage
bucket_name = 'YOUR_BUCKET_NAME'
aws_access_key_id = 'YOUR_ACCESS_KEY'
aws_secret_access_key = 'YOUR_SECRET_KEY'
region = 'us-east-1'  # Replace with your desired region

remediate_s3_secure_transport_policy(bucket_name, aws_access_key_id, aws_secret_access_key, region)

Replace YOUR_BUCKET_NAME, YOUR_ACCESS_KEY, YOUR_SECRET_KEY, and update the region with your desired region in the Python script. Run the script, and it will enforce the use of HTTPS for the specified S3 bucket. Make sure to install the boto3 library if you haven’t already:

pip install boto3

Note: Ensure that you have the necessary permissions to make these changes, and exercise caution when applying changes to production environments.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

S3 https remediation

Triage and Remediation

Remediation

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​Triage and Remediation

​Remediation

Triage and Remediation

Remediation