This rule specifies that S3 buckets must enforce SSL for secure data transfer.
Rule | S3 buckets should enforce SSL |
Framework | CISA-cyber-essentials |
Severity | ✔ Medium |
Rule Description
S3 buckets should enforce SSL (Secure Sockets Layer) for CISA Cyber Essentials compliance. This rule ensures that data transferred to and from S3 buckets is securely encrypted using SSL/TLS (Transport Layer Security). By enforcing SSL, the risk of unauthorized access or interception of data is minimized.
Troubleshooting Steps
If SSL enforcement is not enabled for S3 buckets, follow the troubleshooting steps below:
Check S3 Bucket Policy: Review the bucket policy to ensure that SSL enforcement is not explicitly disabled. Look for any statements that allow HTTP access or disable SSL.
Verify SSL/TLS Settings: Confirm that the SSL/TLS settings are properly configured for the S3 bucket. Ensure that SSL is enabled and set to the appropriate secure protocols and ciphers.
Confirm Bucket Access Control Settings: Check the bucket's access control settings to ensure that only authorized users or roles have permission to modify the bucket policy or access the bucket contents.
Review Bucket Encryption Options: Verify that the encryption settings for the S3 bucket are properly configured. Consider enabling server-side encryption to enhance data security.
Necessary Code
To enforce SSL for S3 buckets, you need to configure the bucket policy to require SSL/TLS. Use the following code snippet as an example to modify the bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceSSL",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::your-bucket-name/*",
"arn:aws:s3:::your-bucket-name"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
Replace "your-bucket-name" with the actual name of your S3 bucket in the code above.
Step-by-Step Guide for Remediation
Follow the step-by-step guide below to enforce SSL for S3 buckets:
Open the Amazon S3 console and navigate to the bucket for which you want to enforce SSL.
Click on the "Permissions" tab.
Scroll down to the "Bucket Policy" section and click on the "Edit" button.
Replace the existing bucket policy with the necessary code provided above, ensuring that you replace "your-bucket-name" with the actual name of your bucket.
Click on the "Save changes" button to update the bucket policy.
Verify SSL Enforcement: To confirm that SSL enforcement is now enabled, try accessing the bucket using
http://
instead of https://
. You should receive an access denied error, indicating that SSL is required.By following these steps, you have successfully enforced SSL for your S3 bucket, ensuring that all data transfers are encrypted using SSL/TLS.