Certified Security - Specialty

Sign Up Free or Log In to participate!

is redirection from http to Https possible using S3 Bucket policy ? is this wise to block access at http ?

instead of blocking http from S3 bucket policy, Can we redirect http to https

3 Answers

Yes can redirect

Sudheer Mishra

Can you please point me to the document which describes redirection. If somebody tries http then it should automatically redirect to https

Sam T

Sorry I mis-read the question (haste) – you cant do this with s3 bucket policy but with the CDN policies. However some browsers will redirect http to https – based on rejection code etc.

Hi Sudheer,

If you are configuring your s3 bucket as a static Web site and accessing it through CloudFront, then you can configure your CloudFront distribution to automatically redirect http requests to https.

However, I’m not aware of any setting that allow you to do the same type of automatic redirection when accessing objects directly through the S3 endpoints.

A couple references that you may already be aware of – posting in case:

What S3 bucket policy should I use to comply with the AWS Config rule s3-bucket-ssl-requests-only?

There’s nothing exposed in the management console that allows you to set a property on the bucket to redirect requests from https to https, nor do I see any put- related API calls that would support this in the s3api documentation. The only thing I’ve found is the same as you’ve mentioned in your original question, using a bucket policy setting to block non-secure transport.

As for your question about it being wise to block access at http, there’s a nice blog post referenced in the link above that discusses this topic: 

How to Use Bucket Policies and Apply Defense-in-Depth to Help Secure Your Amazon S3 Data 

It includes the following statement: Defense-in-depth requirement 1: Data must be encrypted at rest and during transit


Yes, it is wise to block http. Even if the browser does not automatically try https, and even if CloudFront doesn’t redirect to https, the risk of an end user being affected by the restriction is much lower than even the very low chance of in-flight interception of plaintext content.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?