Ensure that your Amazon S3 buckets enforce encryption of data over the network, as it travels to and from Amazon S3, using Secure Sockets Layer (SSL).
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When Amazon S3 buckets are not configured to strictly require SSL connections, the communication between the buckets and their clients (users and applications) is vulnerable to eavesdropping and Man-in-the-Middle (MITM) attacks. Trend Micro Cloud One™ – Conformity strongly recommends enforcing SSL-only access by denying all regular, unencrypted HTTP requests to your Amazon S3 buckets when dealing with business-critical, sensitive, or private data.
Audit
To determine if your Amazon S3 buckets are protecting data in transit using Secure Sockets Layer (SSL), perform the following actions:
Remediation / Resolution
To enforce in-transit encryption for your Amazon S3 buckets via bucket policies, perform the following actions:
References
- AWS Documentation
- Amazon S3 FAQs
- Bucket policies and user policies
- Policies and Permissions in Amazon S3
- IAM JSON policy elements reference
- Identity and access management in Amazon S3
- AWS Command Line Interface (CLI) Documentation
- s3api
- list-buckets
- get-bucket-policy
- put-bucket-policy
- delete-bucket-policy
- CloudFormation Documentation
- AWS::S3::Bucket
- Terraform Documentation
- AWS Provider