S3 bucket policy does not deny requests that use HTTP Affecting S3 service in AWS

    Severity Framework Snyk CCSS
    Rule category Data / Encryption in Transit

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    AWS-Well-Architected CIS-AWS CIS-Controls CSA-CCM GDPR HIPAA ISO-27001 NIST-800-53 PCI-DSS SOC-2
  • Snyk ID SNYK-CC-00181
  • credit Snyk Research Team


To protect data in transit, an S3 bucket policy should deny all HTTP requests to its objects and allow only HTTPS requests. HTTPS uses Transport Layer Security (TLS) to encrypt data, which preserves integrity and prevents tampering.

How to fix?

Configure the aws_s3_bucket policy field or the aws_s3_bucket_policy with a valid action, effect, and condition.

Follow the detailed steps below:

  • If a bucket policy is defined in an aws_s3_bucket policy field, ensure the JSON document contains ALL of the following properties:

    • One or more valid actions:

      • "*"
      • "s3:*"
      • "s3:GetObject"
    • Valid effect:

      • Deny
    • Valid condition:

      • aws:SecureTransport": "false"
  • If a bucket policy as defined as an aws_s3_bucket_policy, ensure the JSON document in the policy field contains ALL of the properties listed above

Example Configuration

resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket"
  # other required fields here
resource "aws_s3_bucket_policy" "b" {
  bucket = aws_s3_bucket.b.id
  policy = jsonencode({
    Version = "2012-10-17"
    Id      = "MYBUCKETPOLICY"
    Statement = [
        Sid       = "IPAllow"
        Effect    = "Deny"
        Principal = "*"
        Action    = "s3:*"
        Resource = [
        Condition = {
          Bool = {
            "aws:SecureTransport" = "false"
  # other required fields here