Rule: S3 Buckets Should Enforce SSL
This rule ensures that S3 buckets enforce SSL for secure data transfer.
| Rule | S3 buckets should enforce SSL |
| Framework | NIST 800-53 Revision 4 |
| Severity | ✔ Medium |
Rule Description:
The rule requires that all S3 buckets enforce SSL (Secure Sockets Layer) encryption to comply with the security standard defined in NIST 800-53 Revision 4. By enforcing SSL for S3 buckets, data transmitted between the client and the bucket will be encrypted, enhancing the security and privacy of the stored data.
Troubleshooting Steps:
- 1.Verify if SSL encryption is enabled for the S3 bucket.
- 2.Check if the bucket policy and ACLs (Access Control Lists) are correctly configured to enforce SSL.
Necessary Codes:
To enforce SSL for S3 buckets, you can use the following bucket policy code snippet:
{
"Version": "2012-10-17",
"Id": "EnforceSSL",
"Statement": [
{
"Sid": "EnforceSSLOnly",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::your-bucket-name/*",
"arn:aws:s3:::your-bucket-name"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
This policy denies all actions on the S3 bucket that do not use SSL.
Step-by-Step Guide for Remediation:
- 1.Access the AWS Management Console and navigate to the Amazon S3 service.
- 2.Select the S3 bucket that needs to have SSL enforced.
- 3.Click on the "Permissions" tab.
- 4.Under the "Bucket Policy" section, click on "Edit" to modify the bucket policy.
- 5.Replace any existing policy with the provided necessary code.
- 6.Click on "Save changes" to apply the updated bucket policy.
- 7.Verify that SSL enforcement is enabled by examining the "Access" column in the S3 bucket list. It should show "SSL required" for the relevant bucket.
- 8.If SSL enforcement is not yet enabled, wait for a few minutes for the changes to propagate, and then repeat steps 2-7 to ensure the bucket policy is properly applied.
Note: Ensure that you have the necessary permissions to modify the bucket policy and enforce SSL for S3 buckets.