S3 Bucket Allows HTTP Requests

Overview

At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS. By default, Amazon S3 allows both HTTP and HTTPS requests. To achieve only allowing access to Amazon S3 objects through HTTPS you also have to explicitly deny access to HTTP requests.

Remediation:

Add the following statement to the Bucket Policy via the AWS Console or CLI:

{
  "Sid": "<optional>",
  "Effect": "Deny",
  "Principal": "*",
  "Action": "s3:*",
  "Resource": "arn:aws:s3:::<bucket_name>/*",
  "Condition": {
    "Bool": {
      "aws:SecureTransport": "false"
    }
  }
}

Vendor

AWS

Cloud Service

CIS AWS v1.5.0 2.1.2, S3.5

References

https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/, https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/, https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-bucket-policy.html

Severity

Item Types

AWS::S3::Bucket

Overview​

Vendor​

Cloud Service​

Related Controls​

References​

Severity​

Item Types​