Certified Security - Specialty

Sign Up Free or Log In to participate!

Another approach to deny http access

Towards the end of the video tutorial, Ryan mentioned an alternate method to limit access only to https traffic – set ‘awsSecureTransport’ to true. In that case, would the bucket policy look something like this (ignore the syntax):


Effect: Allow


Action: s3:GetObject

Resource: bucket ARN





There shouldn’t be a need for any ‘deny’ conditions in this case since it would deny ‘https’ access as well (deny overrides allow). Is my understanding correct?


I have tested this and it does deny access if not using https. The default action of deny will take over since the condition is no longer true if just using http.


Your policy is fine but the reason to use an Explicit Deny is where someone is using both ACLs and BucketPolicies. If the ACL for that object or bucket allows public read, then the implicit deny in your policy will be overridden by the explicit allow in the ACL. If you use the explicit deny, then that will always take precedence when not using HTTPS

Balaji Venkatraman

I think the TRUE part checks for the object ACL’s ,the smtp part of the policy checks for the incoming request as HTTP/HTTPS and DENY part just does it job of blocking access !

1 Answers

I think in Ryan’s policy document – the "true" part is just to read or get the object first and THEN evaluate the boolean to decide to allow or disallow.

I think in short – rather than attaching two policies for the bucket (one for reading/listing which is pre-requisite for the evaluation and second one for the secure transport logic) – the trainer chose to show both of them in same policy !

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?