Data protection

S3 Bucket Should Enforce HTTPS

Platform(s)
Compliance Frameworks

AWS CIS, AWS Foundational Security Best Practices Controls, CCPA, cis_8, CPRA, CSA CCM, Data Security Posture Management (DSPM) Best Practices, iso_27001_2022, iso_27002_2022, Mitre ATT&CK, New Zealand Information Security Manual, NIST 800-171, NIST 800-53, Orca Best Practices, PDPA

Description

By default, Amazon S3 allows both HTTP and HTTPS requests. In order to allow access to Amazon S3 objects only through HTTPS, you have to explicitly deny access to HTTP requests. It was detected that the S3 bucket {AwsS3Bucket} is using a policy that doesn't strictly require HTTPS connections. HTTPS uses TLS to encrypt all connections to the bucket. If a bucket's policy doesn't explicitly deny non-HTTPS connections, it puts the bucket in the risk of eavesdropping and man-in-the-middle attacks.
Need help?

Get a free Security Risk Assessment. Start today

A screenshot of the Orca platform dashboard summarizing all of your cloud security risks

Personalized Demo

See Orca Security in Action

Gain visibility, achieve compliance, and prioritize risks with the Orca Cloud Security Platform.

Get a Demo