Remediation
From Consoleβ
- Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
- Select the Check box next to the Bucket.
- Click on
Permissions. - Click
Bucket Policy. - Add either of the following to the existing policy, filling in the required information:
{
"Sid": "<optional>",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::<bucket_name>/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
or
{
"Sid": "<optional>",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<bucket_name>",
"arn:aws:s3:::<bucket_name>/*"
],
"Condition": {
"NumericLessThan": {
"s3:TlsVersion": "1.2"
}
}
}
Save.- Repeat for all the buckets in your AWS account that contain sensitive data.
From Console using AWS Policy Generatorβ
- Repeat steps 1-4 above.
- Click on
Policy Generatorat the bottom of the Bucket Policy Editor. - Select Policy Type
S3 Bucket Policy. - Add Statements.
Effect = DenyPrincipal = *AWS Service = Amazon S3Actions = *Amazon Resource Name = <ARN of the S3 Bucket>
- Generate Policy.
- Copy the text and add it to the Bucket Policy.
From Command Lineβ
- Export the bucket policy to a json file.
aws s3api get-bucket-policy --bucket <bucket_name> --query Policy --output text > policy.json
- Modify the
policy.jsonfile by adding either of the following:
{
"Sid": "<optional>",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::<bucket_name>/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
or
{
"Sid": "<optional>",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<bucket_name>",
"arn:aws:s3:::<bucket_name>/*"
],
"Condition": {
"NumericLessThan": {
"s3:TlsVersion": "1.2"
}
}
}
- Apply this modified policy back to the S3 bucket:
aws s3api put-bucket-policy --bucket <bucket_name> --policy file://policy.json