Remediation
From Consoleβ
-
Log in to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
-
Select the checkbox next to the bucket.
-
Click
Permissions. -
Click
Bucket Policy. -
Add either of the following to the existing policy, filling in the required information:
{
"Sid": "{{optional}}",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::{{bucket_name}}/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}or
{
"Sid": "{{optional}}",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::{{bucket_name}}",
"arn:aws:s3:::{{bucket_name}}/*"
],
"Condition": {
"NumericLessThan": {
"s3:TlsVersion": "1.2"
}
}
} -
Click
Save. -
Repeat for all the buckets in your AWS account that contain sensitive data.
From Console using AWS Policy Generatorβ
- Repeat steps 1-4 above.
- Click on
Policy Generatorat the bottom of the Bucket Policy Editor. - Select Policy Type
S3 Bucket Policy. - Add statements.
Effect = DenyPrincipal = *AWS Service = Amazon S3Actions = *Amazon Resource Name = {{ARN of the S3 Bucket}}
- Generate Policy.
- Copy the text and add it to the Bucket Policy.
From Command Lineβ
-
Export the bucket policy to a JSON file.
aws s3api get-bucket-policy --bucket {{bucket_name}} --query Policy --output text > policy.json -
Modify the
policy.jsonfile by adding either of the following:{
"Sid": "{{optional}}",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::{{bucket_name}}/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}or
{
"Sid": "{{optional}}",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::{{bucket_name}}",
"arn:aws:s3:::{{bucket_name}}/*"
],
"Condition": {
"NumericLessThan": {
"s3:TlsVersion": "1.2"
}
}
} -
Apply this modified policy back to the S3 bucket:
aws s3api put-bucket-policy --bucket {{bucket_name}} --policy file://policy.json