Optimization of the Bucket policy to force encryption using S3

Question

I think, that the second statement of the bucket policy is not really needed, if you specify the condition in the first statement with value "true":

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "PublicReadGetObject",

"Effect": "Allow",

"Principal": {

"AWS": "*"

},

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::mystupidbucket/*",

"Condition": {

"Bool": {

"aws:SecureTransport": "true"

}

]

}

I tried that out and it worked as expected.

Regards,

Marcell

Matthew Mattoon Answered 3 years ago · Answer 1 · 2018-10-01 18:47:58

Matthew Mattoon

Answered 3 years ago

Marcell,

The only issue I see with you approach is if you have multiple elements to your policy then you will have to allow an explicit deny to prevent users from bypassing the encryption. The longer form is the more flexible policy and I would recommend that you explicitly deny if the goal is to prevent unencrypted access to bucket contents.

-matt

Marcell Jobs

Answered 3 years ago

Thanks Matt, good point.

Ravi Balla Answered 2 years ago · Answer 2 · 2019-08-30 15:41:16

Ravi Balla

Answered 2 years ago

@Marcell, I thought of your approach too, but S3 is still allowing access on HTTP. It only worked to block access, when I put an explicit DENY with the condition ("aws:SecureTransport": false)

Optimization of the Bucket policy to force encryption using S3

2 Answers

Newsletter