Ensure S3 Bucket Policy is set to deny HTTP requests

gsl logic
Dome9 rules are powered by the Governance Specification Language (GSL). GSL allows our customers to write and run custom security and compliance checks that can be easily read
Learn more:
Compliance Engine
GSL Language
Remediation
From Portal
1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
2. In the Buckets list, choose the name of the bucket that you want to create a bucket policy for or whose bucket policy you want to edit.
3. Choose Permissions.
4. Under Bucket policy, choose Edit. This opens the Edit bucket policy page.
5. On the Edit bucket policy page, explore Policy examples in the Amazon S3 User Guide, choose Policy generator to generate a policy automatically, or edit the JSON in the Policy section.
Here add a policy statement that will Deny request with SecureTransport=false
6. In the Policy box, edit the existing policy or paste the bucket policy from the Policy generator. Make sure to resolve security warnings, errors, general warnings, and suggestions before you save your policy.
7. Choose Save changes, which returns you to the Bucket Permissions page.
From TF
Add a policy document to deny non-secure transport as follows:
data "aws_iam_policy_document" "example" {
...
statement {
effect = "Deny"
actions = [
"s3:*",
]
resources = [
"S3_BUCKET_ARN",
]
condition {
test = "Bool"
variable = "aws:SecureTransport"
values = [
"false"
]
}
}
...
}
From Command Line
To add a policy to deny non-secure transport, run:
References
1. https://docs.aws.amazon.com/AmazonS3/latest/user-guide/add-bucket-policy.html
2. https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/
3. https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/
4. https://registry.terraform.io/providers/hashicorp/aws/3.3.0/docs/data-sources/iam_policy_document
5. https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-policy.html
Auto Remediation Using Cloudbots
What it does: Ensure that S3 Buckets enforce encryption of data transfers using Secure Sockets Layer (SSL)
Usage: s3_only_allow_ssl
Note: The bot looks at the bucket policy and adds to the current policy the missing actions(s3:GetObject and s3:PutObject)
and the SSL statement.
if no policy in the bucket, an SSL policy will add to the bucket
Limitations: none
cloudbot_name: s3_only_allow_ssl
Simple Storage Service (S3)
Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere ��� web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every indu
Related Links:
Getting Started with Amazon Simple Storage Service
Compliance Frameworks






