turbot/aws_compliance

Control: 5 S3 buckets should require requests to use Secure Socket Layer

Description

This control checks whether Amazon S3 buckets have policies that require requests to use Secure Socket Layer (SSL).

S3 buckets should have policies that require all requests (Action: S3:*) to only accept transmission of data over HTTPS in the S3 resource policy, indicated by the condition key aws:SecureTransport.

This does not check the SSL or TLS version. You should not allow early versions of SSL or TLS (SSLv3, TLS1.0) per PCI DSS requirements.

Remediation

  1. Open the Amazon S3 console.
  2. Navigate to the noncompliant bucket, and then choose the bucket name.
  3. Choose Permissions, then choose Bucket Policy.
  4. Add a similar policy statement to that in the policy below. Replace awsexamplebucket with the name of the bucket you are modifying.
{
"Id": "ExamplePolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::awsexamplebucket",
"arn:aws:s3:::awsexamplebucket/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Principal": "*"
}
]
}
  1. Choose Save.

Usage

steampipe check aws_compliance.control.foundational_security_s3_5

SQL

This control uses a named query:

s3_bucket_enforces_ssl

Tags