Description: 

Simple Storage Service - S3 is storage for the internet. You can use Amazon S3 to store and retrieve any amount of data at any time, from anywhere on the web. You can accomplish these tasks using the simple and intuitive web interface of the AWS Management Console. This rule helps S3 bucket policies require encryption during data transit.


Rationale: 

Enforcing SSL-only access by denying all regular, unencrypted HTTP requests to your buckets when dealing with sensitive or private data. Because when S3 buckets are not configured to strictly require SSL connections, the communication between the clients (users, applications) and these buckets is vulnerable to eavesdropping and man-in-the-middle (MITM) attacks.


Impact:
A bucket policy is a resource-based AWS Identity and Access Management (IAM) policy. You add a bucket policy to a bucket to grant other AWS accounts or IAM users access permissions for the bucket and the objects in it. Object permissions apply only to the objects that the bucket owner creates.


Default Value: 

By default, Amazon S3 allows both HTTP and HTTPS requests. To comply with the s3-bucket-ssl-requests-only rule, confirm that your bucket policies explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests might not comply with the rule.


Audit: 

To verifying if your Amazon S3 buckets are protecting data in transit using SSL

  1. Sign in to the AWS Management Console

  2. Open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  3. Click on the Buckets in the left navigation pane

  4. In the Buckets list, choose the name of the bucket that you want to examine

  5. Select the Permissions tab and go to Bucket policy section

  6. In the Bucket policy, verify the policy document for the following elements:

     "Condition": { "Bool": { "aws: Secure Transport": "true" } }

    when the Effect element value is set to "Allow" or 

    "Condition": { "Bool": { "aws: Secure Transport": "false" } }

    when the Effect value is "Deny". This S3 policy condition will allow only SSL (encrypted) access to the objects stored on the selected bucket. If this condition is not defined within your existing bucket policy, the selected S3 bucket does not protect its data while in transit.


Remediation:

Pre-Requisite:

  1. Sign in as admin or IAM user with required permissions

  2. Note down the policies attached to S3 bucket as a backup


Implementation: 

Step 1: Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.

Step 2: In the Bucket name list, choose the name of the bucket that you want to create a bucket policy for or whose bucket policy you want to edit.

Step 3: Choose Permissions, and then go to the Bucket Policy section.

Step 4: Click on the Edit button to edit the bucket policy in use or add new policy.

step 5: In the Bucket Policy Editor dialog box, perform one of the following actions based on your current configuration:

  1. Copy and paste the below code to make it secure if no policy exists previously

    {
        "Version": "2008-10-17",
        "Statement": [
            {
                "Effect": "Deny",
                "Principal": "*",
                "Action": "s3:*",
                "Resource": [
                    "ABS/*",
                    "ABS"
                ],
                "Condition": {
                    "Bool": {
                        "aws:SecureTransport": "false"
                    }
                }
            }
        ]
    }


    Note: Replace “ABC” under resources with your bucket ARN.

  2.  If any policy already exists append the following code to the existing one.

    {
    version
    Statement[
        
      {
      ..............
      ......
      },
        {
                "Effect": "Deny",
                "Principal": "*",
                "Action": "s3:*",
                "Resource": [
                    "ABC/*",
                    "ABC"
                ],
                "Condition": {
                    "Bool": {
                        "aws:SecureTransport": "false"
                    }
                }
            }
      ]
    }


    Note: Replace “ABC” under resources with your bucket ARN. Copy highlighted code only.


Step 6: Click on Save changes.


Backout plan:
If you want to remove  or delete the bucket policy then follow the below steps

  1. Open the Amazon S3 console.

  2. Select the bucket for which you want to delete or edit policy

  3. Choose the Permissions tab.

  4. Go to the Bucket Policy section and click on Delete or Edit.

  5. Choose Delete. 


References: 

Adding a bucket policy using the Amazon S3 console - Amazon Simple Storage Service h 

Bucket policy examples - Amazon Simple Storage Service 

  https://docs.aws.amazon.com/s3/index.html