instead of blocking http from S3 bucket policy, Can we redirect http to https
3 Answers
Yes can redirect
Hi Sudheer,
If you are configuring your s3 bucket as a static Web site and accessing it through CloudFront, then you can configure your CloudFront distribution to automatically redirect http requests to https.
However, I’m not aware of any setting that allow you to do the same type of automatic redirection when accessing objects directly through the S3 endpoints.
A couple references that you may already be aware of – posting in case:
What S3 bucket policy should I use to comply with the AWS Config rule s3-bucket-ssl-requests-only?
There’s nothing exposed in the management console that allows you to set a property on the bucket to redirect requests from https to https, nor do I see any put- related API calls that would support this in the s3api documentation. The only thing I’ve found is the same as you’ve mentioned in your original question, using a bucket policy setting to block non-secure transport.
As for your question about it being wise to block access at http, there’s a nice blog post referenced in the link above that discusses this topic:
How to Use Bucket Policies and Apply Defense-in-Depth to Help Secure Your Amazon S3 Data
It includes the following statement: Defense-in-depth requirement 1: Data must be encrypted at rest and during transit
Tom.
Yes, it is wise to block http. Even if the browser does not automatically try https, and even if CloudFront doesn’t redirect to https, the risk of an end user being affected by the restriction is much lower than even the very low chance of in-flight interception of plaintext content.
Can you please point me to the document which describes redirection. If somebody tries http then it should automatically redirect to https
Sorry I mis-read the question (haste) – you cant do this with s3 bucket policy but with the CDN policies. However some browsers will redirect http to https – based on rejection code etc.