Rule: S3 Buckets Should Require Requests to Use Secure Socket Layer
This rule states that S3 buckets must mandate requests to use Secure Socket Layer for enhanced security measures.
| Rule | S3 buckets should require requests to use Secure Socket Layer |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
Rule/Policy Description:
The S3 buckets should require requests to use Secure Socket Layer (SSL) for AWS Foundational Security Best Practices. This rule ensures that all requests made to the S3 buckets are made over SSL to provide data confidentiality and integrity during data transfer.
Troubleshooting Steps (if applicable):
- 1.
Verify SSL Configuration: Check if SSL is properly configured for the S3 buckets. Ensure that all requests made to the bucket require SSL encryption.
- 2.
Check Bucket Policies: Review the bucket policies to ensure that SSL is required for all requests. Make sure that the "s3:SecureTransport" condition is set to "true" for all actions.
- 3.
SSL Certificates: Verify if the SSL certificates are valid and not expired. Certificates should be properly configured and associated with the S3 bucket to enforce SSL encryption.
- 4.
Access Logs: Check S3 access logs to identify any requests that are not using SSL. Look for any unauthorized or suspicious access attempts.
Necessary Codes (if applicable):
If the SSL configuration is missing or incorrect, you may need to modify the S3 bucket policy. Below is an example of a bucket policy that enforces SSL requests:
{
"Version": "2012-10-17",
"Id": "RequireSSL",
"Statement": [
{
"Sid": "SSLRequired",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
Step-by-Step Guide for Remediation:
- 1.
Open the AWS Management Console: Log in to the AWS Management Console with appropriate credentials.
- 2.
Access S3 Service: Navigate to the S3 service by clicking on the "Services" dropdown and selecting "S3".
- 3.
Select Bucket: Choose the S3 bucket for which you want to enforce SSL encryption.
- 4.
Open Bucket Properties: Click on the "Properties" tab for the selected bucket.
- 5.
Edit Bucket Policy: Under the "Permissions" section, find the "Bucket Policy" option and click on the "Edit" button.
- 6.
Modify Bucket Policy: Update the bucket policy to include the SSL requirement. You can either add the following statement to an existing policy or create a new policy:
{
"Version": "2012-10-17",
"Id": "RequireSSL",
"Statement": [
{
"Sid": "SSLRequired",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
- 1.
Save Bucket Policy: After modifying the bucket policy, click on the "Save changes" button to apply the SSL requirement.
- 2.
Test SSL Enforcement: Test the SSL enforcement by accessing the S3 bucket using an HTTP URL. The request should be denied and return an error.
- 3.
Verify SSL Access: Access the S3 bucket using an HTTPS URL to ensure SSL encryption is enforced properly.
By following these steps, you will successfully enforce SSL encryption for requests made to the S3 bucket, aligning with the AWS Foundational Security Best Practices.