What S3 bucket policy should I use to comply with the AWS Config rule s3-bucket-ssl-requests-only?

Last updated: 2021-04-27

I enabled the AWS Config rule s3-bucket-ssl-requests-only to be sure that my Amazon Simple Storage Service (Amazon S3) bucket policies require encryption during data transit. How can I create bucket policies that comply with this rule?

Resolution

Note: Amazon S3 offers encryption in transit and encryption at rest. Encryption in transit refers to HTTPS and encryption at rest refers to client-side or server-side encryption.

Amazon S3 allows both HTTP and HTTPS requests. By default, requests are made through the AWS Management Console, AWS Command Line Interface (AWS CLI), or HTTPS.

To comply with the s3-bucket-ssl-requests-only rule, confirm that your bucket policies explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests might not comply with the rule.

To determine HTTP or HTTPS requests in a bucket policy, use a condition that checks for the key "aws:SecureTransport". When this key is true, then request is sent through HTTPS. To comply with the s3-bucket-ssl-requests-only rule, create a bucket policy that explicitly denies access when the request meets the condition "aws:SecureTransport": "false". This policy explicitly denies access to HTTP requests.

Bucket policy that complies with s3-bucket-ssl-requests-only rule

For example, the following bucket policy complies with the rule. The policy explicitly denies all actions on the bucket and objects when the request meets the condition "aws:SecureTransport": "false":

{
  "Id": "ExamplePolicy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSSLRequestsOnly",
      "Action": "s3:*",
      "Effect": "Deny",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      },
      "Principal": "*"
    }
  ]
}

Bucket policy that doesn't comply with s3-bucket-ssl-requests-only rule

In contrast, the following bucket policy doesn't comply with the rule. Instead of using an explicit deny statement, the policy allows access to requests that meet the condition "aws:SecureTransport": "true". This statement allows anonymous access to s3:GetObject for all objects in the bucket if the request uses HTTPS. Avoid this type of bucket policy unless your use case requires anonymous access through HTTPS.

{
  "Id": "ExamplePolicy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "NOT-RECOMMENDED-FOR__AWSCONFIG-Rule_s3-bucket-ssl-requests-only",
      "Action": "s3:GetObject",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "true"
        }
      },
      "Principal": "*"
    }
  ]
}

Did this article help?


Do you need billing or technical support?