Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Secure Transport

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: S3-017

Ensure that your Amazon S3 buckets enforce encryption of data over the network, as it travels to and from Amazon S3, using Secure Sockets Layer (SSL).

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When Amazon S3 buckets are not configured to strictly require SSL connections, the communication between the buckets and their clients (users and applications) is vulnerable to eavesdropping and Man-in-the-Middle (MITM) attacks. Trend Micro Cloud One™ – Conformity strongly recommends enforcing SSL-only access by denying all regular, unencrypted HTTP requests to your Amazon S3 buckets when dealing with business-critical, sensitive, or private data.


Audit

To determine if your Amazon S3 buckets are protecting data in transit using Secure Sockets Layer (SSL), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to examine to access the bucket configuration settings.

04 Select the Permissions tab from the console menu to access the bucket permissions.

05 In the Bucket policy section, verify the policy document attached to the bucket. If the bucket policy does not contain one of the following combination of elements: "Condition": { "Bool": { "aws:SecureTransport": "true" } } with the "Effect" element value set to "Allow", or "Condition": { "Bool": { "aws:SecureTransport": "false" } } with the "Effect" set to "Deny", the selected Amazon S3 bucket is not configured to enforce encryption in transit.

06 Repeat steps no. 3 – 5 for each Amazon S3 bucket that you want to examine, available in your AWS cloud account.

Using AWS CLI

01 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list the names of all Amazon S3 buckets available in your AWS cloud account:

aws s3api list-buckets
    --query 'Buckets[*].Name'

02 The command output should return an array with the requested bucket names:

[
    "cc-web-app-assets",
    "cc-project5-media"
]

03 Run get-bucket-policy command (OSX/Linux/UNIX) using the name of the Amazon S3 bucket that you want to examine as the identifier parameter to describe the bucket policy (JSON format) attached to the selected S3 bucket:

aws s3api get-bucket-policy
  --bucket cc-web-app-assets
  --query Policy
  --output text

04 The command output should return the requested bucket policy document:

{
  "Id": "web-app-bucket-policy",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::cc-web-app-assets/*",
      "Principal": "*"
    }
  ]
}

Check the policy document returned by the get-bucket-policy command output. If the bucket policy does not contain one of the following combination of elements: "Condition": { "Bool": { "aws:SecureTransport": "true" } } with the "Effect" element value set to "Allow", or "Condition": { "Bool": { "aws:SecureTransport": "false" } } with the "Effect" set to "Deny", the selected Amazon S3 bucket is not configured to enforce encryption in transit.

05 Repeat steps no. 3 and 4 for each Amazon S3 bucket that you want to examine created within your AWS cloud account.

Remediation / Resolution

To enforce in-transit encryption for your Amazon S3 buckets via bucket policies, perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Enforce Encryption In Transit",
  "Resources": {
    "S3Bucket": {
      "Properties": {
        "BucketName": "cc-web-app-assets"
      },
      "Type": "AWS::S3::Bucket"
    },
    "SecureTransportPolicy": {
      "Type": "AWS::S3::BucketPolicy",
      "UpdateReplacePolicy" : "Retain",
      "Properties": {
        "Bucket": "cc-web-app-assets",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Id": "cc-secure-transport-bucket-policy",
          "Statement": [
            {
              "Effect": "Deny",
              "Principal": { "AWS": "*" },
              "Action": "s3:*",
              "Condition": {
                "Bool": { "aws:SecureTransport": false }
              },
              "Resource":"arn:aws:s3:::cc-web-app-assets/*"
            }
          ]
        }
      }
    }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Enforce Encryption In Transit
Resources:
  S3Bucket:
    Properties:
      BucketName: cc-web-app-assets
      Type: AWS::S3::Bucket
  SecureTransportPolicy:
    Type: AWS::S3::BucketPolicy
    UpdateReplacePolicy: Retain
    Properties:
      Bucket: cc-web-app-assets
      PolicyDocument:
        Version: '2012-10-17'
        Id: cc-secure-transport-bucket-policy
        Statement:
        - Effect: Deny
          Principal:
            AWS: "*"
          Action: s3:*
          Condition:
            Bool:
              aws:SecureTransport: false
          Resource: arn:aws:s3:::cc-web-app-assets/*

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "~> 3.27"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  profile = "default"
  region = "us-east-1"
}

resource "aws_s3_bucket" "secure-bucket" {
  bucket = "cc-web-app-assets"
}

resource "aws_s3_bucket_policy" "secure-bucket-policy" {
  bucket = aws_s3_bucket.secure-bucket.id

  policy = jsonencode({
    "Version": "2012-10-17",
    "Id": "cc-secure-transport-bucket-policy",
    "Statement": [
      {
        "Effect": "Deny",
        "Principal": { "AWS": "*" },
        "Action": "s3:*",
        "Condition": {
          "Bool": { "aws:SecureTransport": false }
        },
        "Resource":"arn:aws:s3:::cc-web-app-assets/*"
      }
    ]
  })
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

03 Click on the name of the S3 bucket that you want to reconfigure (see Audit section part I to identify the right resource).

04 Select the Permissions tab from the console menu to access the bucket permissions.

05 In the Bucket policy section, choose Edit to modify the bucket policy attached to the selected bucket.

06 In the Policy editor box, perform one of the following actions based on the current access configuration:

  1. If there is no policy attached to the selected S3 bucket, paste the following policy document in the Policy editor box, then choose Save changes to apply the changes. This bucket policy will deny all non-encrypted (non-SSL) access to an S3 bucket named "cc-web-app-assets":
    {
      "Version": "2012-10-17",
      "Id": "cc-secure-transport-bucket-policy",
      "Statement": [
        {
          "Effect": "Deny",
          "Principal": { "AWS": "*" },
          "Action": "s3:*",
          "Condition": {
            "Bool": { "aws:SecureTransport": false }
          },
          "Resource":"arn:aws:s3:::cc-web-app-assets/*"
        }
      ]
    }
    
  2. If the selected S3 bucket has a bucket policy attached, append the following policy statement (highlighted) to the existing policy document in the Policy editor box, as shown in the following example, then choose Save changes to apply the changes. This bucket policy will enable Amazon S3 to serve bucket content over SSL only and deny all regular (unencrypted) access:
    {
      "Id": "cc-web-assets-bucket-policy",
      "Version": "2012-10-17",
      "Statement": [
    
        ...
    
        {
          "Sid": "cc-secure-transport-bucket-policy",
          "Effect": "Deny",
          "Principal": { "AWS": "*" },
          "Action": "s3:*",
          "Condition": {
            "Bool": { "aws:SecureTransport": false }
          },
          "Resource":"arn:aws:s3:::cc-web-app-assets/*"
        }
      ]
    }
    

07 Repeat steps no. 3 – 6 to enable in-transit encryption for other Amazon S3 buckets available in your AWS cloud account.

Using AWS CLI

01 Define the bucket policy that will enforce in-transit encryption for your Amazon S3 bucket. Paste the following policy document to a JSON file named cc-secure-transport-bucket-policy.json and save the file. If your Amazon S3 bucket has already a bucket policy attached, modify the existing policy document and append only the highlighted block to the policy statement:

{
  "Version": "2012-10-17",
  "Id": "cc-secure-transport-bucket-policy",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": { "AWS": "*" },
      "Action": "s3:*",
      "Condition": {
        "Bool": { "aws:SecureTransport": false }
      },
      "Resource":"arn:aws:s3:::cc-web-app-assets/*"
    }
  ]
}

02 Run put-bucket-policy command (OSX/Linux/UNIX) to replace the existing bucket policy attached to the specified Amazon S3 bucket with the policy created at the previous step (if successful, the command request should not produce an output):

aws s3api put-bucket-policy
  --bucket cc-web-app-assets
  --policy file://cc-secure-transport-bucket-policy.json

03 Repeat step no. 1 and 2 to enable in-transit encryption for other Amazon S3 buckets available within your AWS cloud account.

References

Publication date Feb 6, 2017