Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: S3 Buckets Require Secure Socket Layer

This rule ensures that S3 buckets require requests to use Secure Socket Layer. Control name: pci-v321-s3-5.

RuleS3 buckets should require requests to use Secure Socket Layer
FrameworkPCI v3.2.1
Severity
Medium

Rule Description:

According to the PCI DSS version 3 compliance requirement, all S3 buckets must enforce the use of Secure Socket Layer (SSL) for any incoming requests. This means that all communication between clients and S3 buckets must be encrypted using SSL to ensure the confidentiality and integrity of the data.

Troubleshooting Steps:

If SSL is not enforced for S3 buckets, it can lead to potential security risks and non-compliance with PCI DSS. Here are some troubleshooting steps to ensure SSL enforcement:

  2. 1.

    Check S3 Bucket Properties: Go to the AWS S3 Management Console and select the bucket in question. From the bucket properties, navigate to the "Permissions" tab and check if SSL is required for all requests.

  4. 2.

    Bucket Policy Verification: Verify if the bucket policy disallows non-SSL requests. Ensure that the policy explicitly denies requests that do not use SSL.

  6. 3.

    CORS Configuration: Cross-Origin Resource Sharing (CORS) can impact SSL enforcement. Check the CORS configuration for the S3 bucket and make sure it does not allow non-SSL requests.

  8. 4.

    Access Control Policies: Review the access control policies associated with the S3 bucket, such as IAM policies or ACLs. Confirm that they do not grant permissions for non-SSL requests.

  10. 5.

    Network Policies and Proxies: Check if there are any network policies, firewalls, or proxies in place that can override SSL enforcement or block SSL connections. Ensure these configurations are appropriately set to allow SSL connections.

Necessary Codes:

There are no specific codes required for this rule. However, you may need to modify the bucket policy or CORS configuration if they are not properly enforcing SSL.

Remediation Steps:

To enforce SSL for S3 buckets, follow these step-by-step remediation instructions:

  2. 1.

    Open the AWS S3 Management Console and navigate to the bucket for which SSL enforcement is required.

  4. 2.

    Select the bucket and go to the "Permissions" tab.

  6. 3.

    Scroll down to the "Bucket Policy" section and click on the "Edit" button.

  8. 4.

    Update the bucket policy to explicitly deny any requests that do not use SSL. Here is an example of a bucket policy that enforces SSL:

{
    "Version": "2012-10-17",
    "Id": "EnforceSSL",
    "Statement": [
        {
            "Sid": "ForceSSL",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::your-bucket-name/*",
                "arn:aws:s3:::your-bucket-name"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

Replace "your-bucket-name" with the actual name of your S3 bucket.

  2. 1.
    Save the policy and verify that SSL enforcement is now in effect for the S3 bucket.

Note: It is recommended to test the SSL enforcement after making the policy changes to ensure it is properly working.

By following these steps, SSL enforcement can be enabled for S3 buckets as per PCI DSS compliance requirements.

Is your System Free of Underlying Vulnerabilities?
Find Out Now