Rule: S3 Buckets Should Enforce SSL
This rule ensures that S3 buckets enforce SSL for secure data transfer.
| Rule | S3 buckets should enforce SSL |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Medium |
Rule Description:
S3 buckets should enforce SSL (Secure Sockets Layer) for CISA Cyber Essentials compliance. This rule ensures that all data transferred to and from S3 buckets are encrypted using SSL/TLS protocols, providing a secure communication channel and protecting sensitive information from unauthorized access during transit.
Troubleshooting Steps:
If SSL enforcement is not enabled for S3 buckets, follow these troubleshooting steps:
- 1.
Verify SSL/TLS Settings: Check the SSL/TLS settings of the S3 bucket to ensure SSL enforcement is not already enabled. The bucket should require requests to be encrypted in transit.
- 2.
Access Policy Configuration: Verify the access policy of the S3 bucket to confirm that the appropriate permissions are granted to enforce SSL. Check if the "s3:DefaultSecureTransport" is set to "true" in the policy.
- 3.
Bucket Policy Configuration: Ensure that the bucket policy does not allow insecure (non-encrypted) connections.
- 4.
SSL/TLS Certificates: Check the SSL/TLS certificates used by the S3 bucket. Ensure that the certificates are valid and not expired.
- 5.
Testing Connectivity: Test the connectivity to the S3 bucket using both HTTP and HTTPS protocols. Ensure that HTTPS connections are established successfully.
Necessary Codes:
No specific code snippets are required for this rule. However, you may need to modify the S3 bucket's access policy or bucket policy to enforce SSL. Here is an example of a bucket policy snippet that enforces SSL:
{ "Version":"2012-10-17", "Statement":[{ "Sid":"EnforceSSLOnly", "Effect":"Deny", "Principal":"*", "Action":"s3:*", "Resource":"arn:aws:s3:::YOUR_BUCKET_NAME/*", "Condition":{ "Bool":{ "aws:SecureTransport":"false" } } }] }
This policy denies all actions on objects in the specified bucket if the request is not made over a secure (encrypted) connection.
Step-by-Step Guide for Remediation:
To enforce SSL for an S3 bucket, follow these steps:
- 1.
Identify the S3 bucket: Determine the name or ARN (Amazon Resource Name) of the S3 bucket that needs SSL enforcement.
- 2.
Access the S3 bucket: Sign in to the AWS Management Console and navigate to the S3 service.
- 3.
Select the bucket: Locate the desired bucket within the S3 dashboard.
- 4.
Modify Access Policy: If the S3 bucket does not have the correct access policy, navigate to the "Permissions" tab and click on "Bucket Policy" in the "Access Control" section.
- 5.
Update the bucket policy: Copy and paste the necessary bucket policy (as mentioned above) into the policy editor.
- 6.
Save the changes: Click on the "Save" button to apply the policy. Ensure that the policy is saved successfully.
- 7.
Test SSL enforcement: Try accessing objects in the S3 bucket using insecure (HTTP) connections. The requests should be denied or blocked.
- 8.
Verify SSL enforcement: Connect to the S3 bucket using secure (HTTPS) connections. The requests should be successful, and data should be transferred securely.
- 9.
Repeat for other buckets: If there are multiple buckets that need SSL enforcement, repeat the above steps for each relevant bucket.
By following these steps, you should be able to enforce SSL for S3 buckets, ensuring compliance with CISA Cyber Essentials requirements.