🛡️ AWS S3 Bucket Policy is not set to deny HTTP requests🟢

• Contextual name: 🛡️ Bucket Policy is not set to deny HTTP requests🟢
• ID: /ce/ca/aws/s3/bucket-policy-deny-http-requests
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS S3 Bucket
  • 🔌 AWS S3 Bucket - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Secure Transport
• Internal: dec-x-d5fbfc40

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-d5fbfc40	1

Description

Open File

Description

At the Amazon S3 bucket level, you can configure permissions through a bucket policy, making objects accessible only through HTTPS.

Rationale

By default, Amazon S3 allows both HTTP and HTTPS requests. To allow access to Amazon S3 objects only through HTTPS, you must explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests do not comply with this recommendation.

Audit

To allow access to HTTPS, you can use a bucket policy with the effect allow and a condition that checks for the key "aws:SecureTransport": "true". This means that HTTPS requests are allowed, but it does not deny HTTP requests. To explicitly deny HTTP access, ensure that there is also a bucket policy with the effect deny that contains the key "aws:SecureTransport": "false". You may also require TLS by setting a policy to deny any version lower than the one you wish to require, using the condition NumericLessThan and the key "s3:TlsVersion": "1.2".

From Console

... see more

Remediation

Open File

Remediation

From Console

1. Log in to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/

2. Select the checkbox next to the bucket.

3. Click Permissions.

4. Click Bucket Policy.

5. Add either of the following to the existing policy, filling in the required information:

   {
       "Sid": "{{optional}}",
       "Effect": "Deny",
       "Principal": "*",
       "Action": "s3:*",
       "Resource": "arn:aws:s3:::{{bucket_name}}/*",
       "Condition": {
           "Bool": {
               "aws:SecureTransport": "false"
           }
       }
   }

   or

   {
       "Sid": "{{optional}}",
       "Effect": "Deny",
       "Principal": "*",
       "Action": "s3:*",
       "Resource": [
           "arn:aws:s3:::{{bucket_name}}",
           "arn:aws:s3:::{{bucket_name}}/*"
       ],
       "Condition": {
           "NumericLessThan": {
               "s3:TlsVersion": "1.2"
           }
       }
   }

6. Click Save.

7. Repeat for all the buckets in your AWS account that contain sensitive data.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 APRA CPG 234 → 💼 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).		21	22		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [S3.5] S3 general purpose buckets should require requests to use SSL		1	1		no data
💼 AWS Well-Architected → 💼 SEC09-BP03 Authenticate network communications			3		no data
💼 CIS AWS v1.3.0 → 💼 2.1.2 Ensure S3 Bucket Policy allows HTTPS requests		1	1		no data
💼 CIS AWS v1.4.0 → 💼 2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests		1	1		no data
💼 CIS AWS v1.5.0 → 💼 2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests - Level 2 (Automated)		1	1		no data
💼 CIS AWS v2.0.0 → 💼 2.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests - Level 2 (Automated)		1	1		no data
💼 CIS AWS v3.0.0 → 💼 2.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests - Level 2 (Automated)		1	1		no data
💼 CIS AWS v4.0.0 → 💼 2.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests (Automated)			1		no data
💼 CIS AWS v4.0.1 → 💼 2.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests (Automated)			1		no data
💼 CIS AWS v5.0.0 → 💼 2.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests (Automated)			1		no data
💼 CIS AWS v6.0.0 → 💼 3.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests (Automated)			1		no data
💼 Cloudaware Framework → 💼 Data Encryption			70		no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	84		no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	37	105		no data
💼 FedRAMP High Security Controls → 💼 AC-4(4) Flow Control of Encrypted Information (H)		26	27		no data
💼 FedRAMP High Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)			21		no data
💼 FedRAMP High Security Controls → 💼 IA-5(1) Password-based Authentication (L)(M)(H)		1	13		no data
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	84		no data
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			49		no data
💼 FedRAMP High Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1	8	25		no data
💼 FedRAMP High Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)		8	24		no data
💼 FedRAMP High Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)		16	43		no data
💼 FedRAMP High Security Controls → 💼 SC-23 Session Authenticity (M)(H)		7	21		no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84		no data
💼 FedRAMP Low Security Controls → 💼 IA-5(1) Password-based Authentication (L)(M)(H)			13		no data
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			49		no data
💼 FedRAMP Low Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		25		no data
💼 FedRAMP Low Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			24		no data
💼 FedRAMP Low Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			84		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		89		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)			21		no data
💼 FedRAMP Moderate Security Controls → 💼 IA-5(1) Password-based Authentication (L)(M)(H)			13		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		68		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			49		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-8 Transmission Confidentiality and Integrity (L)(M)(H)	1		25		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-8(1) Cryptographic Protection (L)(M)(H)			24		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-13 Cryptographic Protection (L)(M)(H)			43		no data
💼 FedRAMP Moderate Security Controls → 💼 SC-23 Session Authenticity (M)(H)			21		no data
💼 ISO/IEC 27001:2013 → 💼 A.10.1.1 Policy on the use of cryptographic controls		18	19		no data
💼 ISO/IEC 27001:2013 → 💼 A.14.1.2 Securing application services on public networks		5	5		no data
💼 ISO/IEC 27001:2013 → 💼 A.14.1.3 Protecting application services transactions		10	15		no data
💼 ISO/IEC 27001:2022 → 💼 5.14 Information transfer		8	10		no data
💼 NIST CSF v1.1 → 💼 DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed		10	34		no data
💼 NIST CSF v1.1 → 💼 DE.CM-1: The network is monitored to detect potential cybersecurity events		18	63		no data
💼 NIST CSF v1.1 → 💼 ID.AM-3: Organizational communication and data flows are mapped		4	8		no data
💼 NIST CSF v1.1 → 💼 PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)		10	44		no data
💼 NIST CSF v1.1 → 💼 PR.DS-2: Data-in-transit is protected		16	53		no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	91		no data
💼 NIST CSF v1.1 → 💼 PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity		22	27		no data
💼 NIST CSF v1.1 → 💼 PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)		4	26		no data
💼 NIST CSF v1.1 → 💼 PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities		21	30		no data
💼 NIST CSF v1.1 → 💼 PR.PT-4: Communications and control networks are protected		10	44		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			180		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			181		no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			89		no data
💼 NIST CSF v2.0 → 💼 PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk			44		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			187		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			160		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			184		no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			123		no data
💼 NIST SP 800-53 Revision 4 → 💼 CM-7 (1) PERIODIC REVIEW		3	4		no data
💼 NIST SP 800-53 Revision 4 → 💼 CM-7 LEAST FUNCTIONALITY	5	6	7		no data
💼 NIST SP 800-53 Revision 4 → 💼 SC-7 BOUNDARY PROTECTION	23	5	31		no data
💼 NIST SP 800-53 Revision 4 → 💼 SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY	4	2	2		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	69	123		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(2) Information Flow Enforcement _ Processing Domains		31	33		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(15) Information Flow Enforcement _ Detection of Unsanctioned Information		9	10		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption		12	21		no data
💼 NIST SP 800-53 Revision 5 → 💼 IA-5(1) Authenticator Management _ Password-based Authentication			13		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services			49		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8 Transmission Confidentiality and Integrity	5	8	25		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection		8	23		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-8(2) Transmission Confidentiality and Integrity _ Pre- and Post-transmission Handling			16		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-12(3) Cryptographic Key Establishment and Management _ Asymmetric Keys			10		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-13 Cryptographic Protection	4		32		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-23 Session Authenticity	5		15		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-23(3) Session Authenticity _ Unique System-generated Session Identifiers			14		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection			27		no data
💼 PCI DSS v3.2.1 → 💼 2.2.4 Configure system security parameters to prevent misuse.			16		no data
💼 PCI DSS v3.2.1 → 💼 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.	1	8	28		no data
💼 PCI DSS v3.2.1 → 💼 8.2.1 Using strong cryptography, render all authentication credentials unreadable during transmission and storage on all system components.			14		no data
💼 PCI DSS v4.0.1 → 💼 2.2.6 System security parameters are configured to prevent misuse.			16		no data
💼 PCI DSS v4.0.1 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2		28		no data
💼 PCI DSS v4.0.1 → 💼 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.			14		no data
💼 PCI DSS v4.0 → 💼 2.2.6 System security parameters are configured to prevent misuse.		12	16		no data
💼 PCI DSS v4.0 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2	9	28		no data
💼 PCI DSS v4.0 → 💼 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components.		6	14		no data
💼 SOC 2 → 💼 CC6.1-8 Manages Identification and Authentication		18	24		no data