> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# S3 Buckets Should Have A Secure Transport Policy

### More Info:

AWS S3 buckets should enforce encryption of data over the network (as it travels to and from Amazon S3) using Secure Sockets Layer (SSL).

### Risk Level

Critical

### Address

Security

### Compliance Standards

HIPAA, CISAWS, CBP, GDPR, NIST, SOC2, PCIDSS, ISO27001, AWSWAF, HITRUST, NISTCSF

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        1. Open the [AWS S3 Console](https://s3.console.aws.amazon.com/).
        2. Navigate to the specific S3 bucket for which you want to enforce secure transport.
        3. Click on the "Permissions" tab.
        4. Scroll down to the "Bucket policy" section.
        5. Edit the bucket policy to enforce the use of HTTPS.

        Here is an example policy snippet to enforce HTTPS:

        ```json theme={null}
        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "DenyNonSSLRequests",
                    "Effect": "Deny",
                    "Principal": "*",
                    "Action": "s3:*",
                    "Resource": [
                        "arn:aws:s3:::YOUR_BUCKET_NAME/*",
                        "arn:aws:s3:::YOUR_BUCKET_NAME"
                    ],
                    "Condition": {
                        "Bool": {
                            "aws:SecureTransport": "false",
                            "aws:PrincipalIsAWSService": "false"
                        }
                    }
                }
            ]
        }
        ```

        Replace `YOUR_BUCKET_NAME` with the name of your S3 bucket.

        #
      </Accordion>

      <Accordion title="Using CLI">
        ```bash theme={null}
        # Run the following AWS CLI command to update the bucket policy to enforce HTTPS
        aws s3api put-bucket-policy --bucket YOUR_BUCKET_NAME --policy '{
          "Version": "2012-10-17",
          "Statement": [
            {
              "Sid": "DenyNonSSLRequests",
              "Effect": "Deny",
              "Principal": "*",
              "Action": "s3:*",
              "Resource": ["arn:aws:s3:::YOUR_BUCKET_NAME/*", "arn:aws:s3:::YOUR_BUCKET_NAME"],
              "Condition": {
                "Bool": {
                  "aws:SecureTransport": "false",
                  "aws:PrincipalIsAWSService": "false"
                }
              }
            }
          ]
        }'
        ```

        Replace `YOUR_BUCKET_NAME` with the name of your S3 bucket.
      </Accordion>

      <Accordion title="Using Python">
        ```python theme={null}
        import boto3

        def remediate_s3_secure_transport_policy(bucket_name, aws_access_key_id, aws_secret_access_key, region):
            # Create an S3 client
            s3_client = boto3.client('s3', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key, region_name=region)

            # Bucket policy to enforce secure transport (HTTPS)
            bucket_policy = {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Sid": "DenyNonSSLRequests",
                        "Effect": "Deny",
                        "Principal": "*",
                        "Action": "s3:*",
                        "Resource": [
                            f"arn:aws:s3:::{bucket_name}/*",
                            f"arn:aws:s3:::{bucket_name}"
                        ],
                        "Condition": {
                            "Bool": {
                                "aws:SecureTransport": "false",
                                "aws:PrincipalIsAWSService": "false"
                            }
                        }
                    }
                ]
            }

            # Apply the bucket policy
            s3_client.put_bucket_policy(
                Bucket=bucket_name,
                Policy=json.dumps(bucket_policy)
            )

            print(f"Secure transport policy (HTTPS) enforced for S3 bucket: {bucket_name}")

        # Example usage
        bucket_name = 'YOUR_BUCKET_NAME'
        aws_access_key_id = 'YOUR_ACCESS_KEY'
        aws_secret_access_key = 'YOUR_SECRET_KEY'
        region = 'us-east-1'  # Replace with your desired region

        remediate_s3_secure_transport_policy(bucket_name, aws_access_key_id, aws_secret_access_key, region)
        ```

        Replace `YOUR_BUCKET_NAME`, `YOUR_ACCESS_KEY`, `YOUR_SECRET_KEY`, and update the `region` with your desired region in the Python script. Run the script, and it will enforce the use of HTTPS for the specified S3 bucket. Make sure to install the `boto3` library if you haven't already:

        ```bash theme={null}
        pip install boto3
        ```

        Note: Ensure that you have the necessary permissions to make these changes, and exercise caution when applying changes to production environments.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)
* [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference\_policies\_condition-keys.html#condition-keys-securetransport](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-securetransport)
