Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Buckets Should Enforce SSL

This rule ensures that S3 buckets enforce SSL for secure data transfer.

RuleS3 buckets should enforce SSL
FrameworkNIST 800-53 Revision 5
Severity
Medium

Rule Description

The rule NIST 800-53 Revision 5 mandates that all S3 buckets should enforce the use of SSL (Secure Sockets Layer) encryption to enhance the security of data in transit. SSL ensures that data transferred between clients and S3 buckets remains encrypted and protected from unauthorized access.

Troubleshooting Steps

If there are any issues with enforcing SSL for S3 buckets, you can follow these troubleshooting steps:

  2. 1.
    Verify SSL support: Ensure that the target S3 bucket supports SSL encryption. Some older buckets may not have SSL encryption capabilities, so consider creating a new bucket if necessary.
  4. 2.
    Check endpoint settings: Confirm that the S3 bucket's endpoint is configured to use SSL. This can be verified in the Amazon S3 bucket properties.
  6. 3.
    Review IAM policies: Ensure that the IAM (Identity and Access Management) policies associated with the S3 bucket do not restrict SSL usage. Inspect the policy to confirm that SSL (HTTPS) access is allowed.
  8. 4.
    Verify SSL certificate: If you are using a custom domain with SSL, ensure that the SSL certificate is valid and correctly set up.
  10. 5.
    Check SSL-related settings: Review any SSL-related settings that might be present in the S3 bucket configuration. Ensure that SSL is enabled and configured correctly.

Necessary Codes

The following code snippet can be used to enforce SSL for an S3 bucket using the AWS Command Line Interface (CLI):

aws s3api put-bucket-policy --bucket YOUR_BUCKET_NAME --policy '{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EnforceSSLAccess",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::YOUR_BUCKET_NAME/*",
                "arn:aws:s3:::YOUR_BUCKET_NAME"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}'

Step-by-Step Guide for Remediation

Follow these steps to enforce SSL for an S3 bucket:

  2. 1.
    Open your terminal or command prompt.
  4. 2.
    Install and configure the AWS CLI if not already done.
  6. 3.
    Run the following command, replacing 
    YOUR_BUCKET_NAME
    with the actual name of your S3 bucket: 
    aws s3api put-bucket-policy --bucket YOUR_BUCKET_NAME --policy '{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EnforceSSLAccess",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::YOUR_BUCKET_NAME/*",
                "arn:aws:s3:::YOUR_BUCKET_NAME"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}'
  8. 4.
    After executing the command, the SSL enforcement policy will be applied to the specified S3 bucket.

Note: Enforcing SSL may impact existing applications or services that do not support SSL connections. Ensure that all clients accessing the S3 bucket are configured to use SSL for uninterrupted access.

Is your System Free of Underlying Vulnerabilities?
Find Out Now