Skip to main content

πŸ›‘οΈ AWS S3 Bucket Policy is not set to deny HTTP requests🟒

  • Contextual name: πŸ›‘οΈ Bucket Policy is not set to deny HTTP requests🟒
  • ID: /ce/ca/aws/s3/bucket-policy-deny-http-requests
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-d5fbfc401

Description​

Open File

Description​

At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.

Rationale​

By default, Amazon S3 allows both HTTP and HTTPS requests. To achieve only allowing access to Amazon S3 objects through HTTPS you also have to explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests will not comply with this recommendation.

Audit​

To allow access to HTTPS, you can use a bucket policy with the effect allow and a condition that checks for the key "aws:SecureTransport": "true". This means that HTTPS requests are allowed, but it does not deny HTTP requests. To explicitly deny HTTP access, ensure that there is also a bucket policy with the effect deny that contains the key "aws:SecureTransport": "false". You may also require TLS by setting a policy to deny any version lower than the one you wish to require, using the condition NumericLessThan and the key "s3:TlsVersion": "1.2".

... see more

Remediation​

Open File

Remediation​

From Console​

  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
  2. Select the Check box next to the Bucket.
  3. Click on Permissions.
  4. Click Bucket Policy.
  5. Add either of the following to the existing policy, filling in the required information:
{
     "Sid": "<optional>",
     "Effect": "Deny",
     "Principal": "*",
     "Action": "s3:*",
     "Resource": "arn:aws:s3:::<bucket_name>/*",
     "Condition": {
        "Bool": {
            "aws:SecureTransport": "false"
        }
    }
}

or

{
    "Sid": "<optional>",
    "Effect": "Deny",
    "Principal": "*",
    "Action": "s3:*",
    "Resource": [
        "arn:aws:s3:::<bucket_name>",
        "arn:aws:s3:::<bucket_name>/*"
    ],
    "Condition": {
        "NumericLessThan": {
            "s3:TlsVersion": "1.2"
        }
    }
}
  1. Save.
  2. Repeat for all the buckets in your AWS account that contain sensitive data.

From Console using AWS Policy Generator​

  1. Repeat steps 1-4 above.
  2. Click on Policy Generator at the bottom of the Bucket Policy Editor.

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).2122no data
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [S3.5] S3 general purpose buckets should require requests to use SSL11no data
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό SEC09-BP03 Authenticate network communications3no data
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 2.1.2 Ensure S3 Bucket Policy allows HTTPS requests11no data
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests11no data
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests - Level 2 (Automated)11no data
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 2.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests - Level 2 (Automated)11no data
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 2.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests - Level 2 (Automated)11no data
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 2.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests (Automated)1no data
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 2.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests (Automated)1no data
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 2.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests (Automated)1no data
πŸ’Ό CIS AWS v6.0.0 β†’ πŸ’Ό 3.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption70no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3784no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)237103no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(4) Flow Control of Encrypted Information (H)2627no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)21no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)113no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)10882no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)47no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)1825no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)824no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1643no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-23 Session Authenticity (M)(H)721no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)84no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)13no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)47no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)125no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)24no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)43no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)84no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)187no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)21no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)13no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)766no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)47no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)125no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)24no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)43no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-23 Session Authenticity (M)(H)21no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.10.1.1 Policy on the use of cryptographic controls1819no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.14.1.2 Securing application services on public networks55no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.14.1.3 Protecting application services transactions1015no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.14 Information transfer810no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed1034no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-1: The network is monitored to detect potential cybersecurity events1863no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.AM-3: Organizational communication and data flows are mapped48no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)1044no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-2: Data-in-transit is protected1653no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4791no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity2227no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)426no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities2130no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-4: Communications and control networks are protected1044no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events178no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events179no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained87no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk44no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected185no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected158no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected183no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage122no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό CM-7 (1) PERIODIC REVIEW34no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό CM-7 LEAST FUNCTIONALITY567no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό SC-7 BOUNDARY PROTECTION23531no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY422no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4 Information Flow Enforcement3269121no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(2) Information Flow Enforcement _ Processing Domains3133no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(15) Information Flow Enforcement _ Detection of Unsanctioned Information910no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption1221no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό IA-5(1) Authenticator Management _ Password-based Authentication13no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(4) Boundary Protection _ External Telecommunications Services47no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity5825no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection823no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-8(2) Transmission Confidentiality and Integrity _ Pre- and Post-transmission Handling16no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-12(3) Cryptographic Key Establishment and Management _ Asymmetric Keys10no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-13 Cryptographic Protection432no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-23 Session Authenticity515no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-23(3) Session Authenticity _ Unique System-generated Session Identifiers14no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection27no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.2.4 Configure system security parameters to prevent misuse.16no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.1828no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.2.1 Using strong cryptography, render all authentication credentials unreadable during transmission and storage on all system components.14no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 2.2.6 System security parameters are configured to prevent misuse.16no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.228no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.14no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 2.2.6 System security parameters are configured to prevent misuse.1216no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.2928no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.614no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-8 Manages Identification and Authentication1824no data