Data protection

S3 Bucket Should Enforce HTTPS

Risk Level

Hazardous (3)

Platform(s)
Compliance Frameworks

Description

By default, Amazon S3 allows both HTTP and HTTPS requests. In order to allow access to Amazon S3 objects only through HTTPS you also have to explicitly deny access to HTTP requests. It was detected that the S3 bucket {AwsS3Bucket} is using a policy that doesn't strictly require HTTPS connections. HTTPS uses TLS to encrypt all connections to the bucket. If a bucket's policy doesn't explicitly deny non-HTTPS connections, it puts the bucket in the risk of eavesdropping and man-in-the-middle attacks.

  • Recommended Mitigation

    Ensure that all S3 bucket policies explicitly deny non-HTTPS connections.

Need help?

Get a free Security Risk Assessment. Start today

See Orca in action See Orca in action-> View a 10 minute recorded demo or sign up for a personalized one-on-one walk-through.