How to Find AWS S3 Buckets Without Secure Transport Policies
If HTTPS is not enforced on the bucket policy, communication between clients and S3 buckets can use unencrypted HTTP. As a result, sensitive information could be transmitted in clear text over the network or internet.
info
This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity medium.
Prerequisites
This guide assumes that you have already installed and configured Fix Inventory to collect your AWS resources.
Directions
-
Execute the following
search
command in Fix Inventory Shell:> search is(aws_s3_bucket) and not bucket_policy.Statement[*].{Effect=Deny and (Action=s3:PutObject or Action="s3:*" or Action="*") and Condition.Bool.`aws:SecureTransport`== "false" }
kind=aws_s3_bucket, ..., region=fixinventory-poweruser
kind=aws_s3_bucket, ..., account=poweruser-team -
Pipe the
search
command into thedump
command:> search is(aws_s3_bucket) and not bucket_policy.Statement[*].{Effect=Deny and (Action=s3:PutObject or Action="s3:*" or Action="*") and Condition.Bool.`aws:SecureTransport`== "false" } | dump
reported:
id: /aws/s3/123
name: some-name
ctime: '2022-12-05T22:53:14Z'
kind: aws_s3_bucket
age: 2mo28dThe command output will list the details of all non-compliant
aws_s3_bucket
resources.
Remediation
- Enable encryption in transit for all matching S3 buckets.
note
Please refer to the AWS S3 documentation for details.