AWS-S3-Secure-Transport

Severity : Medium

Description: This control ensures that bucket policy enforcing "SecureTransport" exists for all the objects inside of a bucket. Encryption in transit mitigates the risk of data leakage and disclosure of sensitive data while data in transit. This provides protection from sniffing attacks especially when buckets and objects are being accessed outside of the trusted network.

Remediation Steps:

Perform following to update S3 bucket in transit encryption :

  1. Login to the AWS Management Console at https://console.aws.amazon.com.

  2. Navigate to s3 console.

  3. In the navigation pane,  select buckets.

  4. Click on the bucket to be modified, click permissions.

  5. Choose Bucket Policy.

  6. If there is no existing bucket policy for a bucket define one with json:

    { "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "s3:*", "Resource": [ "arn:aws:s3:::[Bucket-Name]", "arn:aws:s3:::[Bucket-Name]/*" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } } }] }
  7. If there is already a bucket policy, in Statement section append json mentioned below:

    { "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "s3:*", "Resource": [ "arn:aws:s3:::[Bucket-Name]", "arn:aws:s3:::[Bucket-Name]/*" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } } }
  8. Choose Save.

Important:

  • In Bucket Policy for "SecureTransport", setting resource to "Resource": "arn:aws:s3:::[Bucket-Name]/*" will enforce "SecureTransport" configuration to all the objects inside the bucket but not on bucket url itself. However, Setting resource to "Resource": "arn:aws:s3:::[Bucket-Name]" will enforce "SecureTransport" configuration to the bucket itself but not on objects inside the bucket.

Reference:

Blue Hexagon Proprietary