lacework-global-73
2.1.2 Deny HTTP requests in S3 Bucket Policies (Automated)
This rule has been changed to automated, see Automated Policies for CIS AWS 1.4.0 for details.
Profile Applicability
• Level 2
Description
At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.
Rationale
By default, Amazon S3 allows both HTTP and HTTPS requests. To achieve only allowing access to Amazon S3 objects through HTTPS you also have to explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests will not comply with this recommendation.
Audit
To allow access to HTTPS you can use a condition that checks for the key "aws:SecureTransport: true". This means that the request is sent through HTTPS but that HTTP can still be used. So to make sure you do not allow HTTP access confirm that there is a bucket policy that explicitly denies access for HTTP requests and that it contains the key "aws:SecureTransport": "false".
From Console
- Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
- Select the Check box next to the Bucket.
- Click on 'Permissions', then Click on
Bucket Policy. - Ensure that a policy is listed that matches:
'{
"Sid": <optional>,
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucket_name>/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}'
<optional> and <bucket_name> will be specific to your account
- Repeat for all the buckets in your AWS account.
From Command Line
- List all of the S3 Buckets
aws s3 ls
- Using the list of buckets run this command on each of them:
aws s3api get-bucket-policy --bucket <bucket_name> | grep aws:SecureTransport
- Confirm that
aws:SecureTransportis set to falseaws:SecureTransport:false - Confirm that the policy line has Effect set to Deny 'Effect:Deny'
Remediation
From Console
- Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/.
- Select the Check box next to the Bucket.
- Click
Permissions. - Click
Bucket Policy. - Add this to the existing policy filling in the required information:
{
"Sid": <optional>",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucket_name>/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
Save.- Repeat for all the buckets in your AWS account that contain sensitive data.
From Console
Using AWS Policy Generator:
- Repeat steps 1-4 from the preceding section.
- Click
Policy Generatorat the bottom of the Bucket Policy Editor. - Select Policy Type:
S3 Bucket Policy. - Add the following statements:
Effect= DenyPrincipal= *AWS Service= Amazon S3Actions= s3:GetObjectAmazon Resource Name=<s3_bucket_arn>
- Generate Policy.
- Copy the text and add it to the Bucket Policy.
From Command Line
- Export the bucket policy to a json file.
aws s3api get-bucket-policy --bucket <bucket_name> --query Policy --output text > policy.json
- Modify the policy.json file by adding in this statement:
{
"Sid": <optional>",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucket_name>/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
- Apply this modified policy back to the S3 bucket:
aws s3api put-bucket-policy --bucket <bucket_name> --policy file://policy.json
You can utilize Lacework's remediation template to resolve violations of this policy. See Remediation Templates.
References
https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/
https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-bucket-policy.html