Profile Applicability:
Level 2
Description:
By default, Amazon S3 allows both HTTP and HTTPS requests for accessing objects.
This control ensures that only HTTPS requests are allowed by explicitly denying HTTP access.
S3 bucket policies should include a rule to reject requests using HTTP to enforce encrypted communication.
Rationale:
HTTP requests send data in plaintext, exposing sensitive information to interception.
Man-in-the-Middle (MitM) attacks are easier when unencrypted HTTP connections are allowed.
Enforcing HTTPS ensures secure data transfer between clients and Amazon S3.
Impact:
If HTTP requests are denied, applications that rely on HTTP may fail.
Older clients that do not support HTTPS may need to be upgraded.
Bucket policy misconfigurations may prevent legitimate access.
Default Value:
By default:
Amazon S3 accepts both HTTP and HTTPS requests.
HTTPS is not enforced unless an explicit policy denies HTTP access.
Pre-Requisites:
IAM permissions to modify bucket policies
s3:PutBucketPolicy, s3:GetBucketPolicy
AWS CLI installed (for automation)
Identify all S3 buckets in your AWS account
Ensure no application dependencies require HTTP access
Remediation:
Test Plan:
Using AWS Console
Login to AWS Console → Open S3 Console.
Click on Buckets and select the target bucket.
Click on Permissions → Bucket Policy.
- Verify if the policy explicitly denies HTTP requests by checking for:
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::<bucket_name>/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}If this rule does not exist, HTTP requests are allowed.
Using AWS CLI
Step 1: List All S3 Buckets
aws s3 ls
Returns a list of all buckets in the AWS account.
Step 2: Check the Policy for Each Bucket
aws s3api get-bucket-policy --bucket <bucket_name> | grep aws:SecureTransport
OR
aws s3api get-bucket-policy --bucket <bucket_name> | grep s3:TlsVersion
If an error appears, it means the bucket has no policy and allows both HTTP and HTTPS requests.
If aws:SecureTransport is not set to false, HTTP access is still allowed.
Implementation Steps:
Using AWS Console
Login to AWS Console → Open S3 Console.
Click on Buckets and select the target bucket.
Click on Permissions → Bucket Policy.
- Add the following JSON policy:
{ "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::<bucket_name>/*", "Condition": { "Bool": { "aws:SecureTransport": "false" } } }
Click Save.
Use AWS Policy Generator (GUI Alternative)
Login to AWS Console → Open S3 Console.
Select Bucket → Click Permissions → Bucket Policy.
Click Policy Generator at the bottom
Enter policy details:
Effect = Deny
Principal = *
AWS Service = Amazon S3
Actions = s3:*
Amazon Resource Name (ARN) = arn:aws:s3:::<bucket_name>
Condition = "aws:SecureTransport": "false"
Click Generate Policy → Copy Generated Policy into the Bucket Policy Editor.
Click Save.
Using AWS CLI
Step 1: Export the Current Policy to a JSON File
aws s3api get-bucket-policy --bucket <bucket_name> --query Policy --output text > policy.json
Step 2: Edit the policy.json file and add the following rule:
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::<bucket_name>/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}Step 3: Apply the Updated Policy
aws s3api put-bucket-policy --bucket <bucket_name> --policy file://policy.json
Backout Plan:
If applications require HTTP access, follow these steps:
Modify the bucket policy to allow HTTP requests:
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::<bucket_name>/*"
}Use AWS CLI to remove the deny rule:
aws s3api delete-bucket-policy --bucket <bucket_name>
Test to ensure HTTP access is restored.