Cloud Defense Logo

Products

Solutions

Company

Rule: S3 Buckets should enforce SSL

This rule specifies that S3 buckets must enforce SSL for secure data transfer.

RuleS3 buckets should enforce SSL
FrameworkCISA-cyber-essentials
Severity
Medium

Rule Description

S3 buckets should enforce SSL (Secure Sockets Layer) for CISA Cyber Essentials compliance. This rule ensures that data transferred to and from S3 buckets is securely encrypted using SSL/TLS (Transport Layer Security). By enforcing SSL, the risk of unauthorized access or interception of data is minimized.

Troubleshooting Steps

If SSL enforcement is not enabled for S3 buckets, follow the troubleshooting steps below:

  1. 1.

    Check S3 Bucket Policy: Review the bucket policy to ensure that SSL enforcement is not explicitly disabled. Look for any statements that allow HTTP access or disable SSL.

  2. 2.

    Verify SSL/TLS Settings: Confirm that the SSL/TLS settings are properly configured for the S3 bucket. Ensure that SSL is enabled and set to the appropriate secure protocols and ciphers.

  3. 3.

    Confirm Bucket Access Control Settings: Check the bucket's access control settings to ensure that only authorized users or roles have permission to modify the bucket policy or access the bucket contents.

  4. 4.

    Review Bucket Encryption Options: Verify that the encryption settings for the S3 bucket are properly configured. Consider enabling server-side encryption to enhance data security.

Necessary Code

To enforce SSL for S3 buckets, you need to configure the bucket policy to require SSL/TLS. Use the following code snippet as an example to modify the bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EnforceSSL",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::your-bucket-name/*",
                "arn:aws:s3:::your-bucket-name"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

Replace "your-bucket-name" with the actual name of your S3 bucket in the code above.

Step-by-Step Guide for Remediation

Follow the step-by-step guide below to enforce SSL for S3 buckets:

  1. 1.

    Open the Amazon S3 console and navigate to the bucket for which you want to enforce SSL.

  2. 2.

    Click on the "Permissions" tab.

  3. 3.

    Scroll down to the "Bucket Policy" section and click on the "Edit" button.

  4. 4.

    Replace the existing bucket policy with the necessary code provided above, ensuring that you replace "your-bucket-name" with the actual name of your bucket.

  5. 5.

    Click on the "Save changes" button to update the bucket policy.

  6. 6.

    Verify SSL Enforcement: To confirm that SSL enforcement is now enabled, try accessing the bucket using

    http://
    instead of
    https://
    . You should receive an access denied error, indicating that SSL is required.

By following these steps, you have successfully enforced SSL for your S3 bucket, ensuring that all data transfers are encrypted using SSL/TLS.

Is your System Free of Underlying Vulnerabilities?
Find Out Now