Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Buckets Should Enforce SSL

This rule ensures that S3 buckets enforce SSL for secure data transfer.

RuleS3 buckets should enforce SSL
FrameworkNIST 800-53 Revision 5
Severity
Medium

Rule Description:

S3 buckets should enforce SSL for NIST 800-53 Revision 5. This rule ensures that all data transmitted to and from S3 buckets is encrypted using Secure Sockets Layer (SSL) or its successor, Transport Layer Security (TLS). Enforcing SSL/TLS helps protect sensitive data from unauthorized access or interception during transmission.

Troubleshooting Steps:

If SSL is not enforced for S3 buckets, it poses a potential security risk. To troubleshoot and enforce SSL:

  2. 1.
    Check the bucket policy: Ensure that the bucket policy explicitly requires SSL/TLS for all communications. The policy should contain a statement that denies any requests that do not use SSL. Example bucket policy rule:
{
    "Version": "2012-10-17",
    "Id": "EnforceSSLOnly",
    "Statement": [
        {
            "Sid": "DenyNonSSL",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "*",
            "Resource": "arn:aws:s3:::bucket-name/*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}
  2. 1.

    Verification of SSL/TLS encryption: Confirm that SSL/TLS encryption is properly set up for the S3 bucket. This includes using SSL certificates with strong encryption algorithms and protocols.

  4. 2.

    Review access logs: Analyze access logs to identify any suspicious or non-SSL requests. AWS S3 access logs provide detailed information regarding requests made to the bucket.

  6. 3.

    Bucket access configuration: Ensure that the bucket's access controls are properly configured to allow only SSL/TLS connections. This includes preventing unencrypted HTTP connections and only allowing HTTPS connections.

Remediation Steps:

To enforce SSL for S3 buckets, follow these steps:

  2. 1.

    Open the Amazon S3 console.

  4. 2.

    Select the desired bucket.

  6. 3.

    Click on the "Permissions" tab.

  8. 4.

    Under "Bucket Policy," click on "Edit."

  10. 5.

    Add the following policy statement to enforce SSL:

{
    "Version": "2012-10-17",
    "Id": "EnforceSSLOnly",
    "Statement": [
        {
            "Sid": "DenyNonSSL",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "*",
            "Resource": "arn:aws:s3:::bucket-name/*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}
  2. 1.

    Replace "bucket-name" with the appropriate name of your S3 bucket.

  4. 2.

    Save the bucket policy.

  6. 3.

    Test the enforcement by attempting to access the S3 bucket using an unencrypted HTTP connection. It should be denied.

  8. 4.

    Verify that SSL/TLS encryption is properly set up by accessing the bucket using HTTPS and confirming successful access.

By following these steps, SSL enforcement for S3 buckets aligned with NIST 800-53 Revision 5 can be achieved, ensuring secure transmission of data.

Is your System Free of Underlying Vulnerabilities?
Find Out Now