Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-CC-00181
- credit Snyk Research Team
Description
To protect data in transit, an S3 bucket policy should deny all HTTP requests to its objects and allow only HTTPS requests. HTTPS uses Transport Layer Security (TLS) to encrypt data, which preserves integrity and prevents tampering.
How to fix?
Configure the aws_s3_bucket policy field or the aws_s3_bucket_policy with a valid action, effect, and condition.
Follow the detailed steps below:
If a bucket policy is defined in an aws_s3_bucket
policyfield, ensure the JSON document contains ALL of the following properties:One or more valid actions:
"*""s3:*""s3:GetObject"
Valid effect:
Deny
Valid condition:
aws:SecureTransport": "false"
If a bucket policy as defined as an aws_s3_bucket_policy, ensure the JSON document in the
policyfield contains ALL of the properties listed above
Example Configuration
resource "aws_s3_bucket" "b" {
bucket = "my-tf-test-bucket"
# other required fields here
}
resource "aws_s3_bucket_policy" "b" {
bucket = aws_s3_bucket.b.id
policy = jsonencode({
Version = "2012-10-17"
Id = "MYBUCKETPOLICY"
Statement = [
{
Sid = "IPAllow"
Effect = "Deny"
Principal = "*"
Action = "s3:*"
Resource = [
"${aws_s3_bucket.b.arn}"
]
Condition = {
Bool = {
"aws:SecureTransport" = "false"
}
}
},
]
})
# other required fields here
}