S3 Bucket Policy should deny HTTP requests

Description

At the Amazon S3 bucket level, you can configure permissions through a bucket policy that makes the objects accessible only through HTTPS.

Rationale

By default, Amazon S3 allows both HTTP and HTTPS requests. To only allow access to Amazon S3 objects through HTTPS, you have to explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests will not comply with this recommendation.

Remediation

From the console

  1. Login to AWS Management Console and open: https://console.aws.amazon.com/s3/
  2. Select the Check box next to the Bucket.
  3. Click on Permissions.
  4. Click Bucket Policy
  5. Add the following to the existing policy, filling in the required information:
    {
     "Sid": <optional>",
     "Effect": "Deny",
     "Principal": "*",
     "Action": "s3:*",
     "Resource": "arn:aws:s3:::<bucket_name>/*",
     "Condition": {
         "Bool": {
             "aws:SecureTransport": "false"
         }
     }
     }   
    
  6. Click Save
  7. Repeat for all the buckets in your AWS account that contain sensitive data.

From the console

Using AWS Policy Generator:

  1. Repeat steps 1-4 above.

  2. Click on Policy Generator at the bottom of the Bucket Policy Editor.

  3. Select Policy Type S3 Bucket Policy.

  4. Add the following statements:

    • Effect = Deny
    • Principal = *
    • AWS Service = Amazon S3
    • Actions = *
    • Amazon Resource Name = <ARN of the S3 Bucket>
    
  5. Click on Generate Policy

  6. Copy the text and add it to the bucket policy.

From the command line

  1. Export the bucket policy to a JSON file.

    aws s3api get-bucket-policy --bucket <bucket_name> --query Policy --output
    text > policy.json
    
  2. Modify the policy.json file by adding in this statement:

    {
     "Sid": <optional>",
     "Effect": "Deny",
     "Principal": "*",
     "Action": "s3:*",
     "Resource": "arn:aws:s3:::<bucket_name>/*",
     "Condition": {
         "Bool": {
             "aws:SecureTransport": "false"
         }
     }
     }  
    
  3. Apply this modified policy back to the S3 bucket:

    aws s3api put-bucket-policy --bucket <bucket_name> --policy
    file://policy.json 
    

References

  1. https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/
  2. https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply- defense-in-depth-to-help-secure-your-amazon-s3-data/
  3. [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-bucket-policy.html][4]

defense-in-depth-to-help-secure-your-amazon-s3-data/ [4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-bucket-policy.html