Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Buckets should enforce SSL

This rule ensures that S3 buckets enforce SSL for secure data transfer.

RuleS3 buckets should enforce SSL
FrameworkFedRAMP Low Revision 4
Severity
Medium

Rule/Policy Description:

The rule requires that all S3 buckets within an AWS account, which are intended to comply with the FedRAMP Low security level and meet Revision 4 standards, enforce SSL (Secure Sockets Layer) encryption for data transfer.

Steps for Troubleshooting (if applicable):

If SSL enforcement is not properly enabled, you may encounter the following issues:

  2. 1.
    Data transfer to and from the S3 bucket may be vulnerable to interception.
  4. 2.
    Non-compliance with FedRAMP Low Revision 4 security requirements.
  6. 3.
    Audit findings and potential regulatory non-compliance.

To troubleshoot SSL enforcement in S3 buckets, follow these steps:

  2. 1.
    Verify that SSL is enabled on the target S3 bucket.
  4. 2.
    Review the bucket's access policies to ensure SSL-only access is enforced.
  6. 3.
    Check if the bucket policy restricts access to SSL connections only.
  8. 4.
    Test the bucket by attempting to access it without SSL to see if the expected enforcement is in place.
  10. 5.
    Review the CloudTrail logs for any SSL-related errors or warnings.

Necessary Codes (if applicable):

To enforce SSL for S3 buckets, the following code snippet can be used in AWS CLI:

{
    "Version": "2012-10-17",
    "Id": "EnforceSSLOnly",
    "Statement": [
        {
            "Sid": "ForceSSLOnlyAccess",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::your-bucket-name/*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

Step-by-Step Guide for Remediation:

To enforce SSL for S3 buckets, follow these steps:

  2. 1.
    Identify the target S3 bucket that needs SSL enforcement.
  4. 2.
    Open the AWS Management Console and navigate to the S3 service.
  6. 3.
    Locate the target bucket in the list and select it.
  8. 4.
    Click on the "Permissions" tab.
  10. 5.
    Under "Bucket Policy," click on the "Edit" button.
  12. 6.
    Replace any existing bucket policy with the code snippet provided above.
  14. 7.
    Update the 'Resource' field in the code snippet to reflect the bucket's ARN.
  16. 8.
    Click on the "Save changes" button to apply the updated bucket policy.
  18. 9.
    Test the SSL enforcement by attempting to access the bucket without SSL (e.g., using an HTTP URL).
  20. 10.
    Access to the bucket should now be denied, and an SSL connection should be required.

By following these steps, SSL enforcement can be successfully applied to the target S3 bucket, ensuring compliance with the FedRAMP Low Revision 4 security requirements.

Is your System Free of Underlying Vulnerabilities?
Find Out Now