S3 Buckets Should Have A Secure Transport Policy
More Info:
AWS S3 buckets should enforce encryption of data over the network (as it travels to and from Amazon S3) using Secure Sockets Layer (SSL).
Risk Level
Critical
Address
Security
Compliance Standards
HIPAA, CISAWS, CBP, GDPR, NIST, SOC2, PCIDSS, ISO27001, AWSWAF, HITRUST, NISTCSF
Remediation
Using Console
- Open the AWS S3 Console.
- Navigate to the specific S3 bucket for which you want to enforce secure transport.
- Click on the “Permissions” tab.
- Scroll down to the “Bucket policy” section.
- Edit the bucket policy to enforce the use of HTTPS.
Here is an example policy snippet to enforce HTTPS:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "*",
"Resource": [
"arn:aws:s3:::YOUR_BUCKET_NAME/*",
"arn:aws:s3:::YOUR_BUCKET_NAME"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
Alternate option
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": [
"arn:aws:s3:::YOUR_BUCKET_NAME/*",
"arn:aws:s3:::YOUR_BUCKET_NAME"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}
Replace YOUR_BUCKET_NAME
with the name of your S3 bucket.
Using CLI
# Run the following AWS CLI command to update the bucket policy to enforce HTTPS
aws s3api put-bucket-policy --bucket YOUR_BUCKET_NAME --policy '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "*",
"Resource": ["arn:aws:s3:::YOUR_BUCKET_NAME/*", "arn:aws:s3:::YOUR_BUCKET_NAME"],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}'
Alternate option
# Run the following AWS CLI command to update the bucket policy to enforce HTTPS
aws s3api put-bucket-policy --bucket YOUR_BUCKET_NAME --policy '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": ["arn:aws:s3:::YOUR_BUCKET_NAME/*", "arn:aws:s3:::YOUR_BUCKET_NAME"],
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}'
Replace YOUR_BUCKET_NAME
with the name of your S3 bucket.
Using Python
import boto3
def remediate_s3_secure_transport_policy(bucket_name, aws_access_key_id, aws_secret_access_key, region):
# Create an S3 client
s3_client = boto3.client('s3', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, region_name=region)
# Bucket policy to enforce secure transport (HTTPS)
bucket_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "*",
"Resource": [
f"arn:aws:s3:::{bucket_name}/*",
f"arn:aws:s3:::{bucket_name}"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
# Apply the bucket policy
s3_client.put_bucket_policy(
Bucket=bucket_name,
Policy=json.dumps(bucket_policy)
)
print(f"Secure transport policy (HTTPS) enforced for S3 bucket: {bucket_name}")
# Example usage
bucket_name = 'YOUR_BUCKET_NAME'
aws_access_key_id = 'YOUR_ACCESS_KEY'
aws_secret_access_key = 'YOUR_SECRET_KEY'
region = 'us-east-1' # Replace with your desired region
remediate_s3_secure_transport_policy(bucket_name, aws_access_key_id, aws_secret_access_key, region)
Alternate option
import boto3
def remediate_s3_secure_transport_policy(bucket_name, aws_access_key_id, aws_secret_access_key, region):
# Create an S3 client
s3_client = boto3.client('s3', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, region_name=region)
# Bucket policy to enforce secure transport (HTTPS)
bucket_policy = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": [
f"arn:aws:s3:::{bucket_name}/*",
f"arn:aws:s3:::{bucket_name}"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}
# Apply the bucket policy
s3_client.put_bucket_policy(
Bucket=bucket_name,
Policy=json.dumps(bucket_policy)
)
print(f"Secure transport policy (HTTPS) enforced for S3 bucket: {bucket_name}")
# Example usage
bucket_name = 'YOUR_BUCKET_NAME'
aws_access_key_id = 'YOUR_ACCESS_KEY'
aws_secret_access_key = 'YOUR_SECRET_KEY'
region = 'us-east-1' # Replace with your desired region
remediate_s3_secure_transport_policy(bucket_name, aws_access_key_id, aws_secret_access_key, region)
Replace YOUR_BUCKET_NAME
, YOUR_ACCESS_KEY
, YOUR_SECRET_KEY
, and update the region
with your desired region in the Python script. Run the script, and it will enforce the use of HTTPS for the specified S3 bucket. Make sure to install the boto3
library if you haven’t already:
pip install boto3
Note: Ensure that you have the necessary permissions to make these changes, and exercise caution when applying changes to production environments.