Certified Security - Specialty

Sign Up Free or Log In to participate!

Is this necessary?

I thought the default action was to open the object using SSL/TLS. So why this forcing condition? Are there instances when we try to read the object, there is no secure connection and use only HTTP?

Rakesh Barial

I am not able to access any course. It always asks for membership. I have through my company.

5 Answers

Not sure what you mean by "default action", but it is true that the anonymous access link generated by the S3 console uses the HTTPS protocol.

The "forcing condition" exists to disable the same anonymous access using the HTTP (insecure) protocol.

By "use only HTTP" do you mean the opposite case, where HTTPS is disabled?

I can’t think of why you would want to do this, but a practical situation to prefer HTTP (while not fully blocking HTTPS) might be for many small frequently accessed objects such as static assets on a website where there is no sensitive information and you want to avoid the small CPU overhead for encryption and decryption. The CPU overhead used to be a common complaint of HTTPS, but I don’t know if it’s still relevant now.

Would this policy serve the same function too? as the one Ryan used in the class

{"Version": "2012-10-17",

"Statement": [


"Sid": "PublicReadGetObject",

"Effect": "Allow",

"Principal": {

"AWS": "*"


"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::yourbucketnamehere/*"



{ "aws:SecureTransport": false }






This component should allow only HTTP access, as the HTTPS access will not meet the criteria of this Allow action and will hit the implicit Deny.

I am not able to access  this course. It always asks for membership. I have through my company.

Couldn’t find other place to place my query. Sorry about that.

You can try accessing the object using HTTP and see how it goes without this policy.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?