Profile Applicability:

Level 2

Description:

By default, Amazon S3 allows both HTTP and HTTPS requests for accessing objects.

  • This control ensures that only HTTPS requests are allowed by explicitly denying HTTP access.

  • S3 bucket policies should include a rule to reject requests using HTTP to enforce encrypted communication.

Rationale:

  • HTTP requests send data in plaintext, exposing sensitive information to interception.

  • Man-in-the-Middle (MitM) attacks are easier when unencrypted HTTP connections are allowed.

  • Enforcing HTTPS ensures secure data transfer between clients and Amazon S3.

Impact:

  • If HTTP requests are denied, applications that rely on HTTP may fail.

  • Older clients that do not support HTTPS may need to be upgraded.

  • Bucket policy misconfigurations may prevent legitimate access.

Default Value:

By default:

  • Amazon S3 accepts both HTTP and HTTPS requests.

  • HTTPS is not enforced unless an explicit policy denies HTTP access.

Pre-Requisites:

  1. IAM permissions to modify bucket policies

    • s3:PutBucketPolicy, s3:GetBucketPolicy

  2. AWS CLI installed (for automation)

  3. Identify all S3 buckets in your AWS account

  4. Ensure no application dependencies require HTTP access

Remediation:

Test Plan:

Using AWS Console

  1. Login to AWS Console → Open S3 Console.

  2. Click on Buckets and select the target bucket.

               

  1. Click on Permissions → Bucket Policy.

               

  • Verify if the policy explicitly denies HTTP requests by checking for:
 {
    "Effect": "Deny",
    "Principal": "*",
    "Action": "s3:*",
    "Resource": "arn:aws:s3:::<bucket_name>/*",
    "Condition": {
        "Bool": {
            "aws:SecureTransport": "false"
        }
    }
}
  1. If this rule does not exist, HTTP requests are allowed.

Using AWS CLI

Step 1: List All S3 Buckets

aws s3 ls
  • Returns a list of all buckets in the AWS account.

Step 2: Check the Policy for Each Bucket

aws s3api get-bucket-policy --bucket <bucket_name> | grep aws:SecureTransport

OR

aws s3api get-bucket-policy --bucket <bucket_name> | grep s3:TlsVersion
  • If an error appears, it means the bucket has no policy and allows both HTTP and HTTPS requests.

  • If aws:SecureTransport is not set to false, HTTP access is still allowed.

Implementation Steps:

Using AWS Console

  1. Login to AWS Console → Open S3 Console.

  2. Click on Buckets and select the target bucket.

             

  1. Click on Permissions → Bucket Policy.

           


             

  • Add the following JSON policy:
     {
        "Effect": "Deny",
        "Principal": "*",
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::<bucket_name>/*",
        "Condition": {
            "Bool": {
                "aws:SecureTransport": "false"
            }
        }
    }
  1. Click Save.

             

Use AWS Policy Generator (GUI Alternative)

  1. Login to AWS Console → Open S3 Console.

  2. Select Bucket → Click Permissions → Bucket Policy.

                   

                 

                   

  1. Click Policy Generator at the bottom

                 

  1. Enter policy details:

    • Effect = Deny

    • Principal = *

    • AWS Service = Amazon S3

    • Actions = s3:*

    • Amazon Resource Name (ARN) = arn:aws:s3:::<bucket_name>

    • Condition = "aws:SecureTransport": "false"

  2. Click Generate Policy → Copy Generated Policy into the Bucket Policy Editor.

  3. Click Save.

Using AWS CLI

Step 1: Export the Current Policy to a JSON File

aws s3api get-bucket-policy --bucket <bucket_name> --query Policy --output text > policy.json

Step 2: Edit the policy.json file and add the following rule:

{
    "Effect": "Deny",
    "Principal": "*",
    "Action": "s3:*",
    "Resource": "arn:aws:s3:::<bucket_name>/*",
    "Condition": {
        "Bool": {
            "aws:SecureTransport": "false"
        }
    }
}

Step 3: Apply the Updated Policy

aws s3api put-bucket-policy --bucket <bucket_name> --policy file://policy.json


Backout Plan:

If applications require HTTP access, follow these steps:

Modify the bucket policy to allow HTTP requests:

 {
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:*",
    "Resource": "arn:aws:s3:::<bucket_name>/*"
}

Use AWS CLI to remove the deny rule:

 aws s3api delete-bucket-policy --bucket <bucket_name>

  1. Test to ensure HTTP access is restored.

References: