[S3.5]
S3 buckets should require requests to use Secure Socket Layer
Description
S3 buckets should have policies that require requests to use SSL (Secure Socket Layer). With policies that only accept transmission of data only using secure layer, your data is more secure during transport. This rule is COMPLIANT when S3 buckets require requests to use SSL.
Details
| Property | Value |
|---|---|
| Category | Protect > Secure access management |
| Compliance Control ID | S3.5 |
| FortifyFox ID | FF100050 |
| Link | S3.5 Compliance |
| Resource Type(s) | AWS::S3::Bucket AWS::S3::BucketPolicy |
| Severity | Medium |
| Parameters | PolicyDocument |
| Value | An AWS IAM Policy document |
Remediation
Use the following CloudFormation templates to deploy an S3 bucket compliant with S3.5
YAML Template
Resources:
S3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: your-bucket-name
S3BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref S3Bucket
PolicyDocument:
Id: SSLUsePolicy
Version: '2012-10-17'
Statement:
- Sid: AllowSSLRequestsOnly
Action: s3:*
Effect: Deny
Resource:
- arn:aws:s3:::your-bucket-name
- arn:aws:s3:::your-bucket-name/*
Condition:
Bool:
aws:SecureTransport: 'false'
Principal: "*"
JSON Template
{
"Resources": {
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": "your-bucket-name"
}
},
"S3BucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "S3Bucket"
},
"PolicyDocument": {
"Id": "SSLUsePolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::your-bucket-name",
"arn:aws:s3:::your-bucket-name/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Principal": "*"
}
]
}
}
}
}
}
📓 Notes
- You can replace “your-bucket-name” with a globally unique name