Control: AWS > PCI v3.2.1 > S3 > 5 S3 buckets should require requests to use Secure Socket Layer
This control checks whether Amazon S3 buckets have policies that require requests to use Secure Socket Layer (SSL).
S3 buckets should have policies that require all requests (Action: S3:*) to only accept transmission of data over HTTPS in the S3 resource policy, indicated by the condition key aws:SecureTransport.
This does not check the SSL or TLS version. You should not allow early versions of SSL or TLS (SSLv3, TLS1.0) per PCI DSS requirements.
Remediation
To remediate this issue, update the permissions policy of the S3 bucket.
To configure an S3 bucket to deny nonsecure transport
1. Open the Amazon S3 console. 2. Navigate to the noncompliant bucket, and then choose the bucket name. 3. Choose Permissions, then choose Bucket Policy. 4. Add a similar policy statement to that in the policy below. Replace awsexamplebucket with the name of the bucket you are modifying. { "Id": "ExamplePolicy", "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSSLRequestsOnly", "Action": "s3:*", "Effect": "Deny", "Resource": [ "arn:aws:s3:::awsexamplebucket", "arn:aws:s3:::awsexamplebucket/*" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } }, "Principal": "*" } ] } 5. Choose Save.
PCI requirement(s): 4.1
Resource Types
This control targets the following resource types:
Policies
This control type relies on these other policies when running actions:
Category
In Your Workspace
Developers
- tmod:@turbot/aws-pciv3-2-1#/control/types/s3BucketEnforcesSsl
- tmod:@turbot/turbot#/control/categories/compliancePci
- turbot graphql controls --filter "controlTypeId:tmod:@turbot/aws-pciv3-2-1#/control/types/s3BucketEnforcesSsl"
Get Controls