s3-bucket-ssl-requests-only - AWS Config

s3-bucket-ssl-requests-only

Checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL). The rule is COMPLIANT if buckets explicitly deny access to HTTP requests. The rule is NON_COMPLIANT if bucket policies allow HTTPS requests.

Identifier: S3_BUCKET_SSL_REQUESTS_ONLY

Trigger type: Configuration changes

AWS Region: All supported AWS Regions

Parameters:

None

An example of a bucket policy that is COMPLIANT with the SSL AWS Config rule is as follows:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "123412341234" ] }, "Action": "s3:Get*", "Resource": "arn:aws:s3:::example-bucket/*" }, { "Effect": "Deny", "Principal": "*", "Action": "*", "Resource": "arn:aws:s3:::example-bucket/*", "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] }

An example of a bucket policy that is NON_COMPLIANT with the SSL AWS Config rule is as follows:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "123412341234" ] }, "Action": "s3:Get*", "Resource": "arn:aws:s3:::example-bucket/*" }, { "Effect": "Deny", "Principal": "*", "Action": "*", "Resource": "arn:aws:s3:::example-bucket/private/*", "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] }

AWS CloudFormation template

To create AWS Config managed rules with AWS CloudFormation templates, see Creating AWS Config Managed Rules With AWS CloudFormation Templates.