S3 bucket policy accepts HTTP requests This product is not supported for your selected
Datadog site . (
).
Id: terraform-aws-s3-bucket-policy-accepts-http-requests
Provider: AWS
Platform: Terraform
Severity: Medium
Category: Encryption
Learn More Description S3 bucket policies should explicitly deny unencrypted (HTTP) requests by using the "Condition": { "Bool": { "aws:SecureTransport": "false" } } block. Without this condition, users can transmit sensitive data over unencrypted HTTP connections, exposing objects in the bucket to interception and man-in-the-middle attacks. To ensure all traffic uses HTTPS, set the following policy condition:
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
This prevents insecure access and protects data integrity during transmission.
Compliant Code Examples resource "aws_s3_bucket" "b" {
bucket = "my-tf-test-bucket"
}
resource "aws_s3_bucket_policy" "b" {
bucket = aws_s3_bucket . b . id
policy = <<EOF
{
"Version": "2012-10-17",
"Id": "MYBUCKETPOLICY",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"aws_s3_bucket.b.arn"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
EOF
}
resource "aws_s3_bucket" "b2" {
bucket = "my-tf-test-bucket"
policy = <<EOF
{
"Version": "2012-10-17",
"Id": "MYBUCKETPOLICY",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"aws_s3_bucket.b.arn"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
EOF
}
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
bucket = "my-s3-bucket"
acl = "private"
versioning = {
enabled = true
}
policy = <<EOF
{
"Version": "2012-10-17",
"Id": "MYBUCKETPOLICY",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"aws_s3_bucket.b.arn"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"aws_s3_bucket.c.arn"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
EOF
}
Non-Compliant Code Examples resource "aws_s3_bucket" "b" {
bucket = "my-tf-test-bucket"
}
resource "aws_s3_bucket_policy" "b" {
bucket = aws_s3_bucket . b . id
policy = <<EOF
{
"Version": "2012-10-17",
"Id": "MYBUCKETPOLICY",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"aws_s3_bucket.b.arn"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "8.8.8.8/32"
}
}
}
]
}
EOF
}
resource "aws_s3_bucket" "b2" {
bucket = "my-tf-test-bucket"
policy = <<EOF
{
"Version": "2012-10-17",
"Id": "MYBUCKETPOLICY",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"aws_s3_bucket.b.arn"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "8.8.8.8/32"
}
}
}
]
}
EOF
}
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
bucket = "my-s3-bucket"
acl = "private"
versioning = {
enabled = true
}
policy = <<EOF
{
"Version": "2012-10-17",
"Id": "MYBUCKETPOLICY",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"aws_s3_bucket.b.arn"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "8.8.8.8/32"
}
}
}
]
}
EOF
}
