Profile Applicability:

  • Level 1


Description:

This control ensures that all Amazon Simple Storage Service (S3) buckets have a bucket policy enforcing secure transport (HTTPS) for data access. This prevents insecure connections over HTTP and ensures that data transmitted between clients and S3 is encrypted in transit using SSL/TLS. Enforcing secure transport helps protect sensitive data from interception or man-in-the-middle attacks during transmission.


Rationale:

S3 buckets often store sensitive or regulated data such as logs, backups, and customer information. Allowing unsecured HTTP connections exposes this data to potential interception or tampering. By enforcing secure transport using the "aws:SecureTransport": "true" condition in the bucket policy, all non-HTTPS requests are automatically denied, ensuring that only encrypted connections can access S3 resources. This aligns with encryption-in-transit best practices and supports compliance with frameworks such as SOC 2, ISO 27001, HIPAA, PCI DSS, and CIS AWS Foundations Benchmark.


Impact:

  • Positive Impact:Ensures all data transferred between clients and S3 is encrypted in transit.Mitigates the risk of data leakage through insecure communication.Strengthens compliance with security and data protection requirements.
  • Negative Impact:Legacy applications or tools not configured for HTTPS will be denied access until updated.


Default Value:

By default, S3 buckets allow both HTTP and HTTPS connections unless explicitly restricted by a bucket policy.


Pre-Requisite:

  • IAM permissions required: s3:GetBucketPolicy, s3:PutBucketPolicy, and s3:ListAllMyBuckets.

  • Ensure that existing applications interacting with the bucket are configured to use HTTPS.



Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon S3 → Buckets.

  3. Select a bucket and open the Permissions tab.

  4. Under Bucket policy, review the existing JSON policy.

  5. Verify that it includes a statement enforcing secure transport, such as:

  6. If no such policy exists, or if the "aws:SecureTransport": "false" condition is missing, this control is non-compliant.


Implementation Plan

Using AWS Console:

  1. Navigate to Amazon S3 → Buckets.

  2. Select the bucket to secure.

  3. Go to the Permissions tab.

  4. Under Bucket policy, click Edit.

  5. Add or update the following policy, replacing example-bucket with your actual bucket name:

  6. Click Save changes.

  7. Test by attempting to access the bucket using HTTP; it should now be denied.



Backout Plan:

Using AWS Console:

  1. If the policy inadvertently disrupts critical workflows (e.g., legacy systems without HTTPS), revert to the previous version of the bucket policy:

    • Go to S3 → Buckets → Permissions → Bucket Policy.

    • Restore the earlier JSON policy from backup or AWS Config history.

  2. Work with development teams to update affected applications to use HTTPS before reapplying the secure transport policy.


References: