By default, S3 buckets can be accessed through both HTTP and HTTPS protocols.
HTTP is a cleartext protocol: it provides no encryption for data in transit and does not support authenticated connections. An attacker with the ability to intercept network traffic can read, modify, or corrupt data transmitted between a client and an S3 bucket over HTTP. This rule raises an issue when an S3 bucket has no policy that explicitly denies HTTP requests for all principals, all actions, and all objects.
An attacker positioned on the network path between clients and the S3 bucket can read all data transmitted over HTTP in cleartext, including file contents and any credentials present in request headers.
Without transport encryption, a network attacker can modify requests or responses as they flow between the client and S3, corrupting stored data or injecting malicious content without detection.
The following code does not enforce HTTPS-only access to the S3 bucket, allowing HTTP requests to succeed.
A bucket policy that does not cover all principals, actions, and objects is also noncompliant.
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucket:
Type: 'AWS::S3::Bucket' # Noncompliant
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: "example-bucket"
S3BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref S3Bucket
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Deny
Principal:
AWS: "*" # all principals should use https
Action: "*" # for any actions
Resource: # for the bucket and all its objects
- arn:aws:s3:::example-bucket
- arn:aws:s3:::example-bucket/*
Condition:
Bool:
"aws:SecureTransport": false