instead of blocking http from S3 bucket policy, Can we redirect http to https
Yes can redirect
If you are configuring your s3 bucket as a static Web site and accessing it through CloudFront, then you can configure your CloudFront distribution to automatically redirect http requests to https.
However, I’m not aware of any setting that allow you to do the same type of automatic redirection when accessing objects directly through the S3 endpoints.
A couple references that you may already be aware of – posting in case:
There’s nothing exposed in the management console that allows you to set a property on the bucket to redirect requests from https to https, nor do I see any
put- related API calls that would support this in the s3api documentation. The only thing I’ve found is the same as you’ve mentioned in your original question, using a bucket policy setting to block non-secure transport.
As for your question about it being wise to block access at http, there’s a nice blog post referenced in the link above that discusses this topic:
It includes the following statement: Defense-in-depth requirement 1: Data must be encrypted at rest and during transit
Yes, it is wise to block http. Even if the browser does not automatically try https, and even if CloudFront doesn’t redirect to https, the risk of an end user being affected by the restriction is much lower than even the very low chance of in-flight interception of plaintext content.