Certified Security - Specialty

Sign Up Free or Log In to participate!

Why is it not enough just to put allow GetObject and condition aws:SecureTransport:True?

For this policy why is necessary use both statements

2 Answers

Yes you think it could be done in one section, but its similar to firewall rule hierarchy. First rule allows public reads and second rule denies if HTTPS is false.

This worked in my testing.

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::yourbucketnamehere/*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "true"
Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?