🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 5 S3 buckets should require requests to use Secure Socket Layer

Description

This control checks whether Amazon S3 buckets have policies that require requests to use Secure Socket Layer (SSL).

S3 buckets should have policies that require all requests (Action: S3:*) to only accept transmission of data over HTTPS in the S3 resource policy, indicated by the condition key aws:SecureTransport.

This does not check the SSL or TLS version. You should not allow early versions of SSL or TLS (SSLv3, TLS1.0) per PCI DSS requirements.

Remediation

  1. Open the Amazon S3 console.
  2. Navigate to the noncompliant bucket, and then choose the bucket name.
  3. Choose Permissions, then choose Bucket Policy.
  4. Add a similar policy statement to that in the policy below. Replace awsexamplebucket with the name of the bucket you are modifying.
{
    "Id": "ExamplePolicy",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSSLRequestsOnly",
            "Action": "s3:*",
            "Effect": "Deny",
            "Resource": [
                "arn:aws:s3:::awsexamplebucket",
                "arn:aws:s3:::awsexamplebucket/*"
            ],
            "Condition": {
                "Bool": {
                     "aws:SecureTransport": "false"
                }
            },
           "Principal": "*"
        }
    ]
}
  1. Choose Save.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_s3_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_s3_5 --share

SQL

This control uses a named query:

with ssl_ok as (
  select
    distinct name,
    arn,
    'ok' as status
  from
    aws_s3_bucket,
    jsonb_array_elements(policy_std -> 'Statement') as s,
    jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p,
    jsonb_array_elements_text(s -> 'Action') as a,
    jsonb_array_elements_text(s -> 'Resource') as r,
    jsonb_array_elements_text(
      s -> 'Condition' -> 'Bool' -> 'aws:securetransport'
    ) as ssl
  where
    p = '*'
    and s ->> 'Effect' = 'Deny'
    and ssl :: bool = false
)
select
  b.arn as resource,
  case
    when ok.status = 'ok' then 'ok'
    else 'alarm'
  end status,
  case
    when ok.status = 'ok' then b.name || ' bucket policy enforces HTTPS.'
    else b.name || ' bucket policy does not enforce HTTPS.'
  end reason
  
  , b.region, b.account_id
from
  aws_s3_bucket as b
  left join ssl_ok as ok on ok.name = b.name;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = secure_access_management
foundational_security_item_id = s3_5
plugin = aws
service = AWS/S3