Data protection

S3 Bucket Should Enforce HTTPS

Platform(s)
Compliance Frameworks
  • AWS CIS
  • ,
  • AWS Foundational Security Best Practices Controls
  • ,
  • CCPA
  • ,
  • cis_8
  • ,
  • CPRA
  • ,
  • CSA CCM
  • ,
  • Data Security Posture Management (DSPM) Best Practices
  • ,
  • iso_27001_2022
  • ,
  • iso_27002_2022
  • ,
  • Mitre ATT&CK
  • ,
  • New Zealand Information Security Manual
  • ,
  • NIST 800-171
  • ,
  • NIST 800-53
  • ,
  • Orca Best Practices
  • ,
  • PDPA

Description

By default, Amazon S3 allows both HTTP and HTTPS requests. In order to allow access to Amazon S3 objects only through HTTPS, you have to explicitly deny access to HTTP requests. It was detected that the S3 bucket {AwsS3Bucket} is using a policy that doesn't strictly require HTTPS connections. HTTPS uses TLS to encrypt all connections to the bucket. If a bucket's policy doesn't explicitly deny non-HTTPS connections, it puts the bucket in the risk of eavesdropping and man-in-the-middle attacks.