- Newest
- Most votes
- Most comments
In the context of S3, encryption of data in transit practically means accessing the S3 APIs over HTTPS, which uses TLS for authenticating the server (S3) and encrypting the requests and data payload while they're in transit. S3 always has both unencrypted HTTP and encrypted HTTPS available at the protocol level, and that cannot be disabled. You don't need to do anything special to allow unencrypted connections over HTTP.
You can control access to the HTTP port 80 and HTTPS port 443 on your firewall or security groups, but that only applies to clients connecting over a network you control.
What you can effectively do to require HTTPS encryption is to add statements in your S3 bucket policy that block requests after they've been received in case they didn't arrive over a TLS-encrypted connection. Notably, a request can still be made with unencrypted HTTP, but it won't be executed by S3, when a policy statement causes it to be refused at the authorisation stage of processing the request.
Here's an example of policy statements you could add to your S3 bucket policy (replacing amzn-my-bucket-name
with the bucket's name) to block access without HTTPS, at least TLS 1.2 (which you can adjust to 1.3 if you'd like), and without the request using SigV4 for authentication. You can remove those policy statements you don't want:
{ "Sid": "DenyAllWithoutHttps", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::amzn-my-bucket-name", "arn:aws:s3:::amzn-my-bucket-name/*" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } } }, { "Sid": "DenyInsufficientEncryptionInTransit", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::amzn-my-bucket-name", "arn:aws:s3:::amzn-my-bucket-name/*" ], "Condition": { "NumericLessThanIfExists": { "s3:TlsVersion": "1.2" } } }, { "Sid": "DenyInsufficientSignature", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::amzn-my-bucket-name", "arn:aws:s3:::amzn-my-bucket-name/*" ], "Condition": { "StringNotEqualsIfExists": { "s3:signatureversion": "AWS4-HMAC-SHA256" } } }
If the intent is to do the reverse, to block HTTPS access due to the client software having trouble with HTTPS, then most likely, you'd have to block access to the HTTPS port 443 on your firewall. You can also try to write the reverse of the above policy statement enforcing HTTP, refusing it instead, but if the problem is with the client application's HTTPS/TLS implementation, the policy statement would probably be evaluated too late in the process to help, because the faulty HTTPS negotiation would've failed before the request even arrives in S3. Here's the policy statement anyway, in case you want to try it:
{ "Sid": "DenySpecificRoleWithHttps", "Effect": "Deny", "Principal": { "AWS": "arn:aws:iam::000000000000:role/name-of-role-requiring-http-access" }, "Action": "s3:*", "Resource": [ "arn:aws:s3:::amzn-my-bucket-name", "arn:aws:s3:::amzn-my-bucket-name/*" ], "Condition": { "Bool": { "aws:SecureTransport": "true" } } }
Relevant content
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
I believe the question is to block HTTPs and only allow HTTP which I think isnt a great idea
@Gary Mclean As I wrote, access over HTTP is allowed by default, without requiring configuration, and access over HTTPS for clients that have trouble with it can be blocked on a firewall or another network security control mechanism, by blocking access to the HTTPS port 443, if the connection is going through a network that is controlled by the party wanting to restrict access.
Cheers bud
Thank you for the info. The traffic or connection does not traverse our firewall. It's the vendor's app accessing the S3 bucket from their end. We'll give the policy statement you provided a try.