S3 Buckets Secure Transport (SSL)

Risk Level: High
Simple Storage Service (S3)
Rule ID: D9.AWS.CRY.04
Category: Storage
Ensure that S3 Buckets enforce encryption of data transfers using Secure Sockets Layer (SSL)

gsl logic

S3Bucket should have policy.Statement contain [Effect='Deny' and Condition.Bool.aws:SecureTransport='false'] and policy.Statement contain [Action contain ['s3:GetObject'] or Action contain ['s3:*']]

Dome9 rules are powered by the Governance Specification Language (GSL). GSL allows our customers to write and run custom security and compliance checks that can be easily read

Learn more:
Compliance Engine
GSL Language

Remediation

On the AWS S3 console, for each bucket that failed the rule, navigate to the Permissions tab, and then Bucket Policy, and create a policy to deny requests that do not use SSL. You can copy/modify an existing policy, or use the Policy Generator wizard to create a policy step-by-step.

Refer to: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/add-bucket-policy.html
and https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/

Simple Storage Service (S3)

Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere – web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every industry.

Compliance Frameworks

BP_0318 GDPR HIPAA ISO27001 NIST_CSF PCIDSS32