Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Buckets Should Enforce SSL

This rule ensures that S3 buckets enforce SSL for enhanced security measures.

RuleS3 buckets should enforce SSL
FrameworkNIST Cybersecurity Framework (CSF) v1.1
Severity
Medium

Rule Description:

This rule/policy enforces SSL (Secure Sockets Layer) for S3 buckets, in accordance with the NIST (National Institute of Standards and Technology) Cybersecurity Framework (CSF) version 1.

Enforcing SSL ensures that all communications between the client and the S3 bucket are encrypted, providing an added layer of security to protect sensitive data.

Troubleshooting Steps (if any):

  2. 1.
    Ensure that SSL/TLS (Transport Layer Security) is enabled for the S3 bucket.
  4. 2.
    Review the bucket policy or access control list (ACL) to verify that SSL is required for all connections.

Necessary Codes (if any):

To enforce SSL for an S3 bucket, you can add the following bucket policy:

{
    "Version": "2012-10-17",
    "Id": "EnforceSSLOnly",
    "Statement": [
        {
            "Sid": "RequireHTTPS",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::your-bucket/*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

This policy denies all actions (

s3:*
) for any principal accessing the bucket (
"Principal": "*"
), if the connection is not using SSL/TLS (
"aws:SecureTransport": "false"
). Replace 
"your-bucket"
with the name of your S3 bucket.

Step-by-Step Guide for Remediation:

  2. 1.
    Open the AWS Management Console and navigate to the S3 service.
  4. 2.
    Click on the desired S3 bucket that needs to enforce SSL.
  6. 3.
    Select the "Permissions" tab.
  8. 4.
    Under the "Bucket Policy" section, click on "Edit".
  10. 5.
    Replace any existing bucket policy with the provided necessary code.
  12. 6.
    Click on "Save changes" to apply the updated policy.
  14. 7.
    Verify that SSL is enforced by attempting to access the S3 bucket without using SSL. It should be denied.
  16. 8.
    If SSL is not enforced, double-check the bucket policy for any errors or typos and make necessary corrections.
  18. 9.
    Review the troubleshooting steps if SSL still isn't enforced.
  20. 10.
    SSL is now enforced for the S3 bucket, in compliance with the NIST CSF v1.

Note: Enforcing SSL ensures that all communications to and from the S3 bucket are encrypted, protecting sensitive data and enhancing overall security. It is recommended to regularly review and update security policies to align with best practices and industry standards.

Is your System Free of Underlying Vulnerabilities?
Find Out Now