06 - S3 Enforce SSL

Ensure your S3 buckets are only allowing data to be written over SSL

Ensure that your S3 buckets are enforcing and only allowing objects to be written when being encrypted in transit. This is considered a security best practice and should always enabled on every bucket. Ensuring this is enabled will help with NIST,PCI-DSS, HIPPA and GDPR compliance.

Audit & Remediation

Login into your AWS account
Navigate to the S3 service at: https://console.aws.amazon.com/s3
On the left hand panel select Buckets.

Select the Name hyperlink for the S3 bucket you would like to check.
Under Permissions select Bucket Policy.

If no policy is defined, add the following policy:

                    
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "*",
      "Resource": "arn:aws:s3:::BUCKET_NAME/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}

if the policy exists, but does not have a Condition statement for aws:SecureTransport, then append the following statement:

                        
{
    "Effect": "Deny",
    "Principal": "*",
    "Action": "*",
    "Resource": "arn:aws:s3:::BUCKET_NAME/*",
    "Condition": {
    "Bool": {
        "aws:SecureTransport": "false"
        }
    }
}

Press the save button to save the policy.
Repeat the outlined steps for each S3 bucket that you have.

See all of your AWS S3 Buckets in a single place!

Do you want to see all S3 Buckets in once place for all regions and all accounts?
Login to our online demo to see exactly what this looks like.
demo.intelligentdiscovery.io

Other Key Features

Inventory

Consolidate your inventory management with consistent and frequent security logs, inventories, and change logs. Dashboard reporting for extensive analytical value.

learn more +

Cost & Usage

Access consolidated capacity, cost, and volume tools in a scaling environment without impacting production or breaking the bank.