How to Find AWS S3 Buckets Without Secure Transport Policies

If HTTPS is not enforced on the bucket policy, communication between clients and S3 buckets can use unencrypted HTTP. As a result, sensitive information could be transmitted in clear text over the network or internet.

info

This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity medium.

Prerequisites

This guide assumes that you have already installed and configured Fix Inventory to collect your AWS resources.

Directions

1. Execute the following search command in Fix Inventory Shell:

   > search is(aws_s3_bucket) and not bucket_policy.Statement[*].{Effect=Deny and (Action=s3:PutObject or Action="s3:*" or Action="*") and Condition.Bool.`aws:SecureTransport`== "false" }
   ​kind=aws_s3_bucket, ..., region=fixinventory-poweruser
   ​kind=aws_s3_bucket, ..., account=poweruser-team

2. Pipe the search command into the dump command:

   > search is(aws_s3_bucket) and not bucket_policy.Statement[*].{Effect=Deny and (Action=s3:PutObject or Action="s3:*" or Action="*") and Condition.Bool.`aws:SecureTransport`== "false" } | dump
   ​reported:
   ​  id: /aws/s3/123
   ​  name: some-name
   ​  ctime: '2022-12-05T22:53:14Z'
   ​  kind: aws_s3_bucket
   ​  age: 2mo28d

   The command output will list the details of all non-compliant aws_s3_bucket resources.

Remediation

• Enable encryption in transit for all matching S3 buckets.

note

Please refer to the AWS S3 documentation for details.

Further Reading

• Search
• Command-Line Interface
• aws_s3_bucket Resource Data Model

External Links

• CIS Amazon Web Services Benchmarks
• AWS Documentation