Ensure S3 Bucket Policy Rule
Check compliance for denying HTTP requests in S3 Bucket Policy.
| Rule | Ensure S3 Bucket Policy is set to deny HTTP requests |
| Framework | cis_v140 |
| Severity | ✔ Critical |
Rule: Ensure S3 Bucket Policy is set to deny HTTP requests for cis_v140
Description: This rule is designed to ensure that the S3 bucket policy for the bucket named "cis_v140" does not allow the use of HTTP requests. By only allowing HTTPS requests, the security of the bucket and its sensitive data will be strengthened.
Troubleshooting Steps: If any issues arise with the S3 bucket policy denying HTTP requests for "cis_v140", please follow these troubleshooting steps:
- 1.Verify the bucket name: Ensure that the bucket name mentioned in the rule is correctly spelled as "cis_v140". If the bucket name is different, you may need to adjust the policy enforcement accordingly.
- 2.Review the bucket policy: Double-check the existing bucket policy and its statements. Make sure there are no conflicting statements allowing HTTP requests.
- 3.Check for typos or syntax errors: Ensure that the bucket policy does not contain any typos or syntax errors. These issues can prevent the policy from being enforced correctly.
- 4.Validate the S3 bucket policy: Use the AWS S3 console or command-line interface (CLI) to validate the bucket policy for any errors or conflicts. The AWS CLI command to validate the bucket policy is as follows:
Review the output to identify any potential issues.aws s3api get-bucket-policy --bucket cis_v140 - 5.Check for conflicting IAM policies: Verify that there are no conflicting identity and access management (IAM) policies associated with the bucket or the AWS account. These conflicting policies may override the intended bucket policy deny statement.
Code: If the bucket policy for "cis_v140" does not already exist, you can use the following AWS CLI command to create and enforce a policy that denies HTTP requests for the bucket:
aws s3api put-bucket-policy --bucket cis_v140 --policy "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Sid\": \"DenyHTTP\", \"Effect\": \"Deny\", \"Principal\": \"*\", \"Action\": \"s3:GetObject\", \"Resource\": \"arn:aws:s3:::cis_v140/*\", \"Condition\": { \"Bool\": { \"aws:SecureTransport\": \"false\" } } } ] }"
Please note that running this command will create and enforce the bucket policy that denies HTTP requests for "cis_v140".
Remediation Steps: To ensure that the S3 bucket policy for "cis_v140" denies HTTP requests, follow these step-by-step remediation instructions:
- 1.Open the AWS S3 console and navigate to the "cis_v140" bucket.
- 2.Click on the "Permissions" tab.
- 3.Under "Bucket Policy", click on the "Edit" button.
- 4.Replace the existing bucket policy or add a new statement within the existing policy with the following JSON code:
{ "Sid": "DenyHTTP", "Effect": "Deny", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::cis_v140/*", "Condition": { "Bool": { "aws:SecureTransport": "false" } } } - 5.Click on the "Save changes" button to enforce the new bucket policy.
- 6.Test the policy enforcement by attempting an HTTP request to the S3 bucket. The request should be denied.
- 7.Monitor and validate the S3 bucket logs and access logs to ensure that the policy is correctly denying HTTP requests.
By following these remediation steps, you will enforce the bucket policy to deny HTTP requests for the "cis_v140" bucket and verify its effectiveness.