Rule: S3 Buckets Should Enforce SSL
This rule ensures that S3 buckets enforce SSL encryption for secure data transfer.
| Rule | S3 buckets should enforce SSL |
| Framework | NIST 800-171 Revision 2 |
| Severity | ✔ Medium |
Rule Description:
This rule ensures that all S3 buckets within an organization enforce SSL (Secure Sockets Layer) encryption in accordance with NIST (National Institute of Standards and Technology) guidelines. More specifically, it aligns with the requirements specified in NIST 800-171 Revision 2, which focuses on protecting controlled unclassified information (CUI) in nonfederal systems and organizations.
Enforcing SSL encryption for S3 buckets helps protect sensitive data during transmission between the client and the S3 service, thereby reducing the risk of data interception and unauthorized access.
Troubleshooting Steps:
If SSL enforcement is not configured correctly, the following troubleshooting steps can be followed:
- 1.Verify SSL Configuration: Check the bucket's SSL configuration to ensure SSL is enabled and enforced for both incoming and outgoing traffic.
- 2.Review Bucket Policies: Review the bucket policies to verify that there are no conflicting policies preventing SSL enforcement.
- 3.Check Bucket Access Control: Ensure that the appropriate permissions are set for the bucket and that SSL enforcement is not inadvertently prevented by access control settings.
- 4.Review IAM Policies: Check the IAM (Identity and Access Management) policies associated with the bucket to ensure they are not overriding SSL enforcement settings.
- 5.Test SSL Connectivity: Use various tools or methods to test the SSL connectivity of the S3 bucket, making sure that the SSL certificate is valid and properly installed.
Code Example:
The following is an example of bucket policy code that enforces SSL for an S3 bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceSSL",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::your-bucket/*",
"arn:aws:s3:::your-bucket"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
This bucket policy denies any actions on the specified S3 bucket resources if the request is not made over SSL.
Remediation Steps:
To remediate the non-compliance of S3 bucket SSL enforcement, follow these step-by-step actions:
- 1.Identify the S3 bucket(s) that are not enforcing SSL encryption.
- 2.Access the AWS Management Console or use the AWS CLI (Command Line Interface) to navigate to the S3 service.
- 3.Find the target bucket and select it.
- 4.Review the bucket properties and ensure that SSL is enabled for the bucket.
- 5.If SSL is not enabled, go to the bucket's properties and enable SSL for both incoming and outgoing traffic.
- 6.Check the bucket policy associated with the S3 bucket.
- 7.Ensure that the bucket policy includes the code example provided above or a similar policy that enforces SSL encryption (if not already present).
- 8.If the bucket policy is not present or needs modification, edit it to include the SSL enforcement code snippet.
- 9.Save the changes to the bucket policy.
- 10.Verify the SSL enforcement by testing the connectivity to the S3 bucket using SSL-enabled clients or online SSL testing tools.
- 11.Repeat the steps for any additional non-compliant S3 buckets within the organization.
By following these steps, SSL enforcement for S3 buckets in compliance with NIST 800-171 Revision 2 will be achieved.