How to enforce SSL/TLS for S3 requests using AWS

Priyam Singh

~ 1 min read

We will go through the steps to enforce SSL/TLS so that bucket policy prevents the contents of the bucket from being served over plaintext HTTP.

Introduction

AWS S3, apart from providing the ability to perform Server Side Encryption (SSE) for data, also provides the ability to send data over an encrypted transport layer to ensure data protection in transit. This is implemented via a bucket policy with an “Effect”: “Deny” along with the boolean condition “aws:SecureTransport”: “false”. This effectively prevents the bucket’s contents from being served over plaintext HTTP.

Steps to enforce SSL/TLS for S3 requests using UI

  1. Log in to your AWS account and navigate to S3 dashboard

  2. In the left navigation panel, choose Buckets to access the S3 buckets list

    s3 bucket navigation panel

  3. Select the S3 bucket, that you want to configure

    demo bucket

  4. Click on Permissions tab

    permissions tab

  5. Click on Edit button to edit the S3 bucket policy

    edit button

  6. In the bucket policy editor, enter the bucket policy that is compliant with the SSL AWS Config rule

    {
    "Version":"2012-10-17",
    "Statement":[
        {
            "Effect":"Allow",
            "Principal":{"AWS":["<AWS_account_ID>"]},
            "Action":"s3:Get*",
            "Resource":"<bucket_ARN>/*"
            },
        {
            "Effect":"Deny",
            "Principal":"*",
            "Action":"*",
            "Resource":"<bucket_ARN>/*",
            "Condition":{"Bool":{"aws:SecureTransport":"false"}}
        }
    ]
}

    bucket policy

  7. Click on Save changes

    save changes

;