S3 general purpose buckets should have static website hosting disabled

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

AWS S3 bucket website hosting should not be enabled because it increases the chance of accidentally exposing sensitive data and does not consistently support HTTPS, potentially leading to insecure connections and data interception. Additionally, it lacks advanced security features such as authentication, DDoS protection, and detailed access logging, which are provided by services like CloudFront. S3 bucket website hosting is also incompatible with the S3 Block Public Access (BPA) feature when all BPA controls are enabled.

Remediation

For guidance on securely configuring static S3 website hosting, refer to the Restrict access to an Amazon Simple Storage Service origin section of the Amazon CloudFront Developer Guide.