Skip to main content

S3: use HTTPS requests only

Amazon S3 allows both HTTP and HTTPS requests. In order to ensure data protection, it is important to make sure data is encrypted at rest (server-side encryption) and in-transit. This rule deals with in-transit encryption. In transit encryption is enforced by using the HTTPS protocol, which allows TLS/SSL transport encryption.

Suggested Actions

Go to your problematic S3 bucket. In the Permissions tabs, add a policy statement setting "Effect" to "deny" and "Condition.Bool.aws:SecureTransport" to "false". See the example below.

Be careful when editing the file, as certain parameter configurations may prevent you from accessing the bucket (e.g. "Effect": "deny" and "aws:SecureTransport": "true").

{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": ["resourcename1/*", "resourcename2"],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}

Useful links