By default, S3 buckets can be accessed through HTTP and HTTPs protocols.
As HTTP is a clear-text protocol, it lacks the encryption of transported data, as well as the capability to build an authenticated connection. It means that a malicious actor who is able to intercept traffic from the network can read, modify or corrupt the transported content.
There is a risk if you answered yes to any of those questions.
It’s recommended to deny all HTTP requests:
*) of the bucket *) *) No secure policy is attached to this bucket:
import aws_cdk.aws_s3 as s3 import aws_cdk.aws_iam as iam bucket = s3.Bucket(self, "bucket") # Sensitive
A policy is defined but forces only HTTPs communication for some users, some objects of the bucket and for some actions:
bucket = s3.Bucket(self, "bucket")
bucket.add_to_resource_policy(iam.PolicyStatement( # Sensitive
effect=iam.Effect.DENY,
resources=[bucket.bucket_arn],
actions=["s3:SomeAction"],
principals=[roles],
conditions=[{"Bool": {"aws:SecureTransport": False}}]
)
)
A bucket policy that complies with s3-bucket-ssl-requests-only rule should be used. To adhere to it, the bucket policies need to explicitly deny access to HTTP requests.
A secure policy that enforces SSL on requests (default: False):
bucket = S3.Bucket(self,
"bucket",
enforce_ssl=True
)
A secure policy that denies all HTTP requests is used:
bucket = s3.Bucket(self, "bucket")
result = bucket.add_to_resource_policy(iam.PolicyStatement(
effect=iam.Effect.DENY,
resources=["*"],
actions=["s3:*"],
principals=["*"],
conditions=["SecureTransport:False"]
)
)