Certified Security - Specialty

Sign Up Free or Log In to participate!

Optimization of the Bucket policy to force encryption using S3

I think, that the second statement of the bucket policy is not really needed, if you specify the condition in the first statement with value "true":


"Version": "2012-10-17",

"Statement": [


"Sid": "PublicReadGetObject",

"Effect": "Allow",

"Principal": {

"AWS": "*"


"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::mystupidbucket/*",

"Condition": {

"Bool": {

"aws:SecureTransport": "true"






I tried that out and it worked as expected.



2 Answers


The only issue I see with you approach is if you have multiple elements to your policy then you will have to allow an explicit deny to prevent users from bypassing the encryption.  The longer form is the more flexible policy and I would recommend that you explicitly deny if the goal is to prevent unencrypted access to bucket contents.


Marcell Jobs

Thanks Matt, good point.

@Marcell, I thought of your approach too, but S3 is still allowing access on HTTP. It only worked to block access, when I put an explicit DENY with the condition ("aws:SecureTransport": false)

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?