How to Find AWS S3 buckets without Secure Transport Policy

Problem

If HTTPS is not enforced on the bucket policy, communication between clients and S3 buckets can use unencrypted HTTP. As a result, sensitive information could be transmitted in clear text over the network or internet.

info

This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity medium.

Prerequisites

This guide assumes that you have already installed and configured Resoto to collect your AWS cloud resources.

Directions

1. Execute the following search command in Resoto Shell or Resoto UI:

   > search is(aws_s3_bucket) and not bucket_policy.Statement[*].{Effect=Deny and (Action=s3:PutObject or Action="s3:*" or Action="*") and Condition.Bool.`aws:SecureTransport`== "false" }
   ​kind=aws_s3_bucket, ..., region=resoto-poweruser
   ​kind=aws_s3_bucket, ..., account=poweruser-team

2. Pipe the search command into the dump command:

   > search is(aws_s3_bucket) and not bucket_policy.Statement[*].{Effect=Deny and (Action=s3:PutObject or Action="s3:*" or Action="*") and Condition.Bool.`aws:SecureTransport`== "false" } | dump
   ​reported:
   ​  id: /aws/s3/123
   ​  name: some-name
   ​  ctime: '2022-12-05T22:53:14Z'
   ​  kind: aws_s3_bucket
   ​  age: 2mo28d

   The command output will list the details of all non-compliant aws_s3_bucket resources.

3. Fix detected issues by following the remediation steps:

   • Enable encryption in transit for all matching S3 buckets.
   note

   Please refer to the AWS S3 documentation for details.

Further Reading

• Search
• Command-Line Interface
• aws_s3_bucket Resource Data Model

External Links

• CIS Amazon Web Services Benchmarks cisecurity.org
• AWS Documentation docs.aws.amazon.com