Ensure data is transported from the S3 bucket securely

Error: Data is not transported from the S3 bucket securely

Bridgecrew Policy ID: BC_AWS_S3_15
Severity: HIGH

Data is not transported from the S3 bucket securely

Description

S3 buckets allow connections without SSL verification by default. S3 buckets may contain sensitive data leaving them vulnerable to malicious exploit.

We recommend verifying connections made to your S3 buckets are encrypted with SSL so only successful connections are established and data leaks avoided.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon S3 console.
  3. Navigate to the S3 service, then click on the bucket violating this check.
  4. Navigate to the Permissions section.
  5. Select Bucket Policy.
  6. Ensure the following statement is added to the bucket policy, replacing the value of BUCKET_NAME. Note that the example below is a complete policy document; you may need to copy only the statement if your bucket already has a policy.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyUnSecureCommunications",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME",
                "arn:aws:s3:::BUCKET_NAME/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}
  1. To apply the policy to the bucket, click Save.