How to enforce SSL/TLS for S3 requests using AWS

Introduction

AWS S3, apart from providing the ability to perform Server Side Encryption (SSE) for data, also provides the ability to send data over an encrypted transport layer to ensure data protection in transit. This is implemented via a bucket policy with an “Effect”: “Deny” along with the boolean condition “aws:SecureTransport”: “false”. This effectively prevents the bucket’s contents from being served over plaintext HTTP.

Steps to enforce SSL/TLS for S3 requests using UI

Log in to your AWS account and navigate to S3 dashboard
In the left navigation panel, choose Buckets to access the S3 buckets list
Select the S3 bucket, that you want to configure
Click on Permissions tab
Click on Edit button to edit the S3 bucket policy

In the bucket policy editor, enter the bucket policy that is compliant with the SSL AWS Config rule

{
    "Version":"2012-10-17",
    "Statement":[
        {
            "Effect":"Allow",
            "Principal":{"AWS":["<AWS_account_ID>"]},
            "Action":"s3:Get*",
            "Resource":"<bucket_ARN>/*"
            },
        {
            "Effect":"Deny",
            "Principal":"*",
            "Action":"*",
            "Resource":"<bucket_ARN>/*",
            "Condition":{"Bool":{"aws:SecureTransport":"false"}}
        }
    ]
}

bucket policy

Click on Save changes

Riyaz Walikar

Founder & Chief of R&D

Riyaz is the founder and Chief of R&D at Kloudle, where he hunts for cloud misconfigurations so developers don’t have to. With over 15 years of experience breaking into systems, he’s led offensive security at PwC and product security across APAC for Citrix. Riyaz created the Kubernetes security testing methodology at Appsecco, blending frameworks like MITRE ATT&CK, OWASP, and PTES. He’s passionate about teaching people how to hack—and how to stay secure.

•• See all posts

Riyaz Walikar

Founder & Chief of R&D

•• See all posts

← Back to Academy