More Info:

AWS S3 buckets should enforce encryption of data over the network (as it travels to and from Amazon S3) using Secure Sockets Layer (SSL).

Risk Level

Critical

Address

Security

Compliance Standards

HIPAA, CISAWS, CBP, GDPR, NIST, SOC2, PCIDSS, ISO27001, AWSWAF, HITRUST, NISTCSF

Remediation

Using Console

  1. Open the AWS S3 Console.
  2. Navigate to the specific S3 bucket for which you want to enforce secure transport.
  3. Click on the “Permissions” tab.
  4. Scroll down to the “Bucket policy” section.
  5. Edit the bucket policy to enforce the use of HTTPS.

Here is an example policy snippet to enforce HTTPS:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "*",
            "Resource": [
                "arn:aws:s3:::YOUR_BUCKET_NAME/*",
                "arn:aws:s3:::YOUR_BUCKET_NAME"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

Alternate option

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": [
                "arn:aws:s3:::YOUR_BUCKET_NAME/*",
                "arn:aws:s3:::YOUR_BUCKET_NAME"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "true"
                }
            }
        }
    ]
}

Replace YOUR_BUCKET_NAME with the name of your S3 bucket.

Using CLI

# Run the following AWS CLI command to update the bucket policy to enforce HTTPS
aws s3api put-bucket-policy --bucket YOUR_BUCKET_NAME --policy '{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "*",
      "Resource": ["arn:aws:s3:::YOUR_BUCKET_NAME/*", "arn:aws:s3:::YOUR_BUCKET_NAME"],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}'

Alternate option

# Run the following AWS CLI command to update the bucket policy to enforce HTTPS
aws s3api put-bucket-policy --bucket YOUR_BUCKET_NAME --policy '{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "*",
      "Resource": ["arn:aws:s3:::YOUR_BUCKET_NAME/*", "arn:aws:s3:::YOUR_BUCKET_NAME"],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "true"
        }
      }
    }
  ]
}'

Replace YOUR_BUCKET_NAME with the name of your S3 bucket.

Using Python

import boto3

def remediate_s3_secure_transport_policy(bucket_name, aws_access_key_id, aws_secret_access_key, region):
    # Create an S3 client
    s3_client = boto3.client('s3', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, region_name=region)

    # Bucket policy to enforce secure transport (HTTPS)
    bucket_policy = {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Deny",
                "Principal": "*",
                "Action": "*",
                "Resource": [
                    f"arn:aws:s3:::{bucket_name}/*",
                    f"arn:aws:s3:::{bucket_name}"
                ],
                "Condition": {
                    "Bool": {
                        "aws:SecureTransport": "false"
                    }
                }
            }
        ]
    }

    # Apply the bucket policy
    s3_client.put_bucket_policy(
        Bucket=bucket_name,
        Policy=json.dumps(bucket_policy)
    )

    print(f"Secure transport policy (HTTPS) enforced for S3 bucket: {bucket_name}")

# Example usage
bucket_name = 'YOUR_BUCKET_NAME'
aws_access_key_id = 'YOUR_ACCESS_KEY'
aws_secret_access_key = 'YOUR_SECRET_KEY'
region = 'us-east-1'  # Replace with your desired region

remediate_s3_secure_transport_policy(bucket_name, aws_access_key_id, aws_secret_access_key, region)

Alternate option

import boto3

def remediate_s3_secure_transport_policy(bucket_name, aws_access_key_id, aws_secret_access_key, region):
    # Create an S3 client
    s3_client = boto3.client('s3', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, region_name=region)

    # Bucket policy to enforce secure transport (HTTPS)
    bucket_policy = {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": "*",
                "Action": "*",
                "Resource": [
                    f"arn:aws:s3:::{bucket_name}/*",
                    f"arn:aws:s3:::{bucket_name}"
                ],
                "Condition": {
                    "Bool": {
                        "aws:SecureTransport": "true"
                    }
                }
            }
        ]
    }

    # Apply the bucket policy
    s3_client.put_bucket_policy(
        Bucket=bucket_name,
        Policy=json.dumps(bucket_policy)
    )

    print(f"Secure transport policy (HTTPS) enforced for S3 bucket: {bucket_name}")

# Example usage
bucket_name = 'YOUR_BUCKET_NAME'
aws_access_key_id = 'YOUR_ACCESS_KEY'
aws_secret_access_key = 'YOUR_SECRET_KEY'
region = 'us-east-1'  # Replace with your desired region

remediate_s3_secure_transport_policy(bucket_name, aws_access_key_id, aws_secret_access_key, region)

Replace YOUR_BUCKET_NAME, YOUR_ACCESS_KEY, YOUR_SECRET_KEY, and update the region with your desired region in the Python script. Run the script, and it will enforce the use of HTTPS for the specified S3 bucket. Make sure to install the boto3 library if you haven’t already:

pip install boto3

Note: Ensure that you have the necessary permissions to make these changes, and exercise caution when applying changes to production environments.

Additional Reading: