standard
turbot/aws_cis
Get Involved
Version
Pipeline: 2.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests
Description
At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.
By default, Amazon S3 allows both HTTP and HTTPS requests. To achieve only allowing access to Amazon S3 objects through HTTPS you also have to explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests will not comply with this recommendation.
Remediation
From Console:
- Log in to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/.
- Select the Check box next to the Bucket.
- Click on 'Permissions'.
- Click 'Bucket Policy'.
- Add this to the existing policy filling in the required information.
{ "Sid": "<optional>", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::<bucket_name>/*", "Condition":{ "Bool":{ "aws:SecureTransport": "false" } }}
or
{ "Sid": "<optional>", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::<bucket_name>", "arn:aws:s3:::<bucket_name>/*" ], "Condition":{ "NumericLessThan":{ "s3:TlsVersion": "1.2" } }}
- Save.
- Repeat for all the buckets in your AWS account that contain sensitive data.
From Console
Using AWS Policy Generator:
- Repeat steps 1-4 above.
- Click on
Policy Generator
at the bottom of the Bucket Policy Editor. - Select Policy Type
S3 Bucket Policy
. - Add Statements
Effect
= DenyPrincipal
= *AWS Service
= Amazon S3Actions
= *Amazon Resource Name
= <ARN of the S3 Bucket>
- Generate Policy.
- Copy the text and add it to the Bucket Policy.
From Command Line:
- Export the bucket policy to a json file.
aws s3api get-bucket-policy --bucket <bucket_name> --query Policy --output text > policy.json
- Modify the policy.json file by adding in this statement:
{ "Sid": "<optional>", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::<bucket_name>/*", "Condition":{ "Bool":{ "aws:SecureTransport": "false" } }}
or
{ "Sid": "<optional>", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::<bucket_name>", "arn:aws:s3:::<bucket_name>/*" ], "Condition":{ "NumericLessThan":{ "s3:TlsVersion": "1.2" } }}
- Apply this modified policy back to the S3 bucket:
aws s3api put-bucket-policy --bucket <bucket_name> --policy file://policy.json
Run the pipeline
To run this pipeline from your terminal:
flowpipe pipeline run aws_cis.pipeline.cis_v400_2_1_1
Use this pipeline
To call this pipeline from your pipeline, use a step:
step "pipeline" "step_name" { pipeline = aws_cis.pipeline.cis_v400_2_1_1 }
Params
Name | Type | Required | Description | Default |
---|---|---|---|---|
database | connection.steampipe | Yes | Database connection string. | connection.steampipe.default |
notifier | notifier | Yes | The name of the notifier to use for sending notification messages. | notifier.default |
notification_level | string | Yes | The verbosity level of notification messages to send. Valid options are 'verbose', 'info', 'error'. | info |
approvers | list(notifier) | Yes | List of notifiers to be used for obtaining action/approval decisions. | notifier.default |
Outputs
This pipeline has no outputs.
Tags
folder = CIS v4.0.0/2 Storage/2.1 Simple Storage Service (S3)