Detection: S3 Bucket Accessed Using Insecure TLS Version

Overview

Detect when an Amazon S3 bucket was accessed using an insecure or deprecated TLS version such as TLS 1.0 or TLS 1.1. These older protocols are known to have cryptographic weaknesses and are no longer considered secure for transmitting sensitive data.

Accessing S3 buckets over insecure TLS can expose control plane requests (like listing objects or modifying settings) to interception or downgrade attacks. Enforcing modern TLS versions helps ensure data-in-transit confidentiality and integrity.

References:

Usage

Run the detection in your terminal:

powerpipe detection run aws_s3_server_access_log_detections.detection.s3_bucket_accessed_using_insecure_tls_version

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run aws_s3_server_access_log_detections.detection.s3_bucket_accessed_using_insecure_tls_version --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
operation,
bucket as resource,
requester as actor,
tp_source_ip as source_ip,
tp_index as account_id,
tp_id as source_id,
http_status,
error_code,
*

from
  aws_s3_server_access_log
where
  operation not in ('REST.GET.OBJECT', 'REST.PUT.OBJECT', 'REST.DELETE.OBJECT')
  and tls_version in ('TLSv1.0', 'TLSv1.1')
order by
  tp_timestamp desc;

Detection: S3 Bucket Accessed Using Insecure TLS Version

Overview

Usage

SQL

Tags