Rule for S3 Buckets Enforcing SSL
This rule enforces SSL for S3 buckets, with 17 out of 61 in compliance.
| Rule | S3 buckets should enforce SSL |
| Framework | FedRAMP Moderate Revision 4 |
| Severity | ✔ Medium |
Rule Description
This rule requires that S3 buckets are configured to enforce the use of SSL (Secure Sockets Layer) for data transfer, specifically for systems belonging to the FedRAMP Moderate level, Revision 4. This is to ensure the secure transmission of data between clients and S3 buckets.
Troubleshooting Steps
If SSL enforcement is not properly configured, it may result in non-compliance. To troubleshoot and address this issue, follow the steps below:
- 1.
Check the SSL settings: Review the bucket's SSL configuration to verify if it is enabled or not.
- 2.
Verify FedRAMP compliance level: Ensure that the bucket in question falls under the FedRAMP Moderate level, Revision 4. Confirm the requirements for SSL enforcement for this compliance level.
- 3.
Check bucket policy settings: Review the bucket policy and access control settings to determine if SSL enforcement is explicitly defined.
- 4.
Review IAM policies: Make sure that the associated IAM policies for the bucket allow for SSL enforcement and do not override SSL settings.
- 5.
Validate SSL certificate: Ensure that the SSL certificate associated with the bucket is valid and properly configured.
Necessary Code
If SSL enforcement is not configured, you can use the AWS Command Line Interface (CLI) to update the bucket policy and enable SSL requirement. The following code snippet demonstrates how to add SSL enforcement to the bucket policy using the AWS CLI:
aws s3api put-bucket-policy --bucket YOUR_BUCKET_NAME --policy '{ "Version": "2012-10-17", "Statement": [ { "Sid": "EnforceSSL", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::YOUR_BUCKET_NAME/*", "arn:aws:s3:::YOUR_BUCKET_NAME" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] }'
Ensure you replace
YOUR_BUCKET_NAMERemediation Steps
To remediate the non-compliant S3 bucket and enforce SSL for FedRAMP Moderate Revision 4, follow the step-by-step guide below:
- 1.
Access the AWS Management Console: Log in to your AWS account and navigate to the S3 service.
- 2.
Choose the targeted bucket: Identify and select the S3 bucket that needs SSL enforcement.
- 3.
Open the bucket properties: Click on the "Properties" tab for the selected bucket.
- 4.
Configure bucket policy: From the properties menu, scroll down to the "Permissions" section and click on the "Edit bucket policy" button.
- 5.
Add SSL enforcement: Replace the existing bucket policy with the code snippet provided above, or modify the existing policy to include the necessary SSL enforcement rules.
- 6.
Save and apply the changes: Click on the "Save" button to update the bucket policy.
- 7.
Test SSL enforcement: Perform tests to verify that SSL enforcement is properly configured and functional. Ensure that all client requests to the S3 bucket are automatically redirected to the HTTPS protocol.
By following these steps, you will successfully enforce SSL for your S3 bucket, meeting the requirements for FedRAMP Moderate Revision 4.