CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00181
- creditSnyk Research Team
Description
To protect data in transit, an S3 bucket policy should deny all HTTP requests to its objects and allow only HTTPS requests. HTTPS uses Transport Layer Security (TLS) to encrypt data, which preserves integrity and prevents tampering.
How to fix?
Configure the aws_s3_bucket policy field or the aws_s3_bucket_policy with a valid action, effect, and condition.
Follow the detailed steps below:
If a bucket policy is defined in an aws_s3_bucket
policyfield, ensure the JSON document contains ALL of the following properties:One or more valid actions:
"*""s3:*""s3:GetObject"
Valid effect:
Deny
Valid condition:
aws:SecureTransport": "false"
If a bucket policy as defined as an aws_s3_bucket_policy, ensure the JSON document in the
policyfield contains ALL of the properties listed above
Example Configuration
resource "aws_s3_bucket" "b" {
bucket = "my-tf-test-bucket"
# other required fields here
}
resource "aws_s3_bucket_policy" "b" {
bucket = aws_s3_bucket.b.id
policy = jsonencode({
Version = "2012-10-17"
Id = "MYBUCKETPOLICY"
Statement = [
{
Sid = "IPAllow"
Effect = "Deny"
Principal = "*"
Action = "s3:*"
Resource = [
"${aws_s3_bucket.b.arn}"
]
Condition = {
Bool = {
"aws:SecureTransport" = "false"
}
}
},
]
})
# other required fields here
}
Set the AWS::S3::BucketPolicy PolicyDocument.Statement.Condition.Bool.aws:SecureTransport field to false, Set the AWS::S3::BucketPolicy PolicyDocument.Statement.Effect field to Deny .
Example Configuration
Type: 'AWS::S3::BucketPolicy'
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Deny
Action: '*'
Resource: 'arn:aws:s3:::rule-181-bucket/*'
Principal: '*'
Condition:
Bool:
'aws:SecureTransport': 'false'
# other required fields here