S3 bucket policy does not deny requests that use HTTP Affecting S3 service in AWS

Snyk CCSS

Data/ Encryption in Transit

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

AWS-Well-ArchitectedCIS-AWSCIS-ControlsCSA-CCMGDPRHIPAAISO-27001NIST-800-53PCI-DSSSOC-2

Snyk IDSNYK-CC-00181
creditSnyk Research Team

Report a new misconfiguration Found a mistake?

Description

To protect data in transit, an S3 bucket policy should deny all HTTP requests to its objects and allow only HTTPS requests. HTTPS uses Transport Layer Security (TLS) to encrypt data, which preserves integrity and prevents tampering.

How to fix?

Configure the aws_s3_bucket policy field or the aws_s3_bucket_policy with a valid action, effect, and condition.

Follow the detailed steps below:

If a bucket policy is defined in an aws_s3_bucket policy field, ensure the JSON document contains ALL of the following properties:
- One or more valid actions:
  - "*"
  - "s3:*"
  - "s3:GetObject"
- Valid effect:
  - Deny
- Valid condition:
  - aws:SecureTransport": "false"
If a bucket policy as defined as an aws_s3_bucket_policy, ensure the JSON document in the policy field contains ALL of the properties listed above

Example configuration:

resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket"
  # other required fields here
}
resource "aws_s3_bucket_policy" "b" {
  bucket = aws_s3_bucket.b.id
  policy = jsonencode({
    Version = "2012-10-17"
    Id      = "MYBUCKETPOLICY"
    Statement = [
      {
        Sid       = "IPAllow"
        Effect    = "Deny"
        Principal = "*"
        Action    = "s3:*"
        Resource = [
          "${aws_s3_bucket.b.arn}"
        ]
        Condition = {
          Bool = {
            "aws:SecureTransport" = "false"
          }
        }
      },
    ]
  })
  # other required fields here
}

Set the AWS::S3::BucketPolicy PolicyDocument.Statement.Condition.Bool.aws:SecureTransport field to false, Set the AWS::S3::BucketPolicy PolicyDocument.Statement.Effect field to Deny .

Example configuration:

Type: 'AWS::S3::BucketPolicy'
Properties:
    PolicyDocument:
      Version: 2012-10-17
      Statement:
        - Effect: Deny
          Action: '*'
          Resource: 'arn:aws:s3:::rule-181-bucket/*'
          Principal: '*'
          Condition:
            Bool:
              'aws:SecureTransport': 'false'
# other required fields here

CloudFormation

Terraform

References

How to Use Bucket Policies and Apply Defense-in-Depth to Help Secure Your Amazon S3 Data