Control: S3 buckets should enforce SSL
Description
To help protect data in transit, ensure that your AWS Simple Storage Service (AWS S3) buckets require requests to use Secure Socket Layer (SSL).
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.s3_bucket_enforces_sslSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.s3_bucket_enforces_ssl --shareSQL
This control uses a named query:
with ssl_ok as ( select distinct name, arn, 'ok' as status from aws_s3_bucket, jsonb_array_elements(policy_std -> 'Statement') as s, jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p, jsonb_array_elements_text(s -> 'Action') as a, jsonb_array_elements_text(s -> 'Resource') as r, jsonb_array_elements_text( s -> 'Condition' -> 'Bool' -> 'aws:securetransport' ) as ssl where p = '*' and s ->> 'Effect' = 'Deny' and ssl :: bool = false)select b.arn as resource, case when ok.status = 'ok' then 'ok' else 'alarm' end status, case when ok.status = 'ok' then b.name || ' bucket policy enforces HTTPS.' else b.name || ' bucket policy does not enforce HTTPS.' end reason , b.region, b.account_idfrom aws_s3_bucket as b left join ssl_ok as ok on ok.name = b.name;