Disable encryption in transit on S3 bucket

0

How can encryption in transit be disabled on an S3 bucket. Our vendor's solution does not require encryption because is causes negotiation conflicts and errors. Appreciate any information you can provide. Thank you.

asked 3 months ago130 views
1 Answer
0
Accepted Answer

In the context of S3, encryption of data in transit practically means accessing the S3 APIs over HTTPS, which uses TLS for authenticating the server (S3) and encrypting the requests and data payload while they're in transit. S3 always has both unencrypted HTTP and encrypted HTTPS available at the protocol level, and that cannot be disabled. You don't need to do anything special to allow unencrypted connections over HTTP.

You can control access to the HTTP port 80 and HTTPS port 443 on your firewall or security groups, but that only applies to clients connecting over a network you control.

What you can effectively do to require HTTPS encryption is to add statements in your S3 bucket policy that block requests after they've been received in case they didn't arrive over a TLS-encrypted connection. Notably, a request can still be made with unencrypted HTTP, but it won't be executed by S3, when a policy statement causes it to be refused at the authorisation stage of processing the request.

Here's an example of policy statements you could add to your S3 bucket policy (replacing amzn-my-bucket-name with the bucket's name) to block access without HTTPS, at least TLS 1.2 (which you can adjust to 1.3 if you'd like), and without the request using SigV4 for authentication. You can remove those policy statements you don't want:

{
  "Sid": "DenyAllWithoutHttps",
  "Effect": "Deny",
  "Principal": "*",
  "Action": "s3:*",
  "Resource": [
    "arn:aws:s3:::amzn-my-bucket-name",
    "arn:aws:s3:::amzn-my-bucket-name/*"
  ],
  "Condition": {
    "Bool": {
      "aws:SecureTransport": "false"
    }
  }
},
{
  "Sid": "DenyInsufficientEncryptionInTransit",
  "Effect": "Deny",
  "Principal": "*",
  "Action": "s3:*",
  "Resource": [
    "arn:aws:s3:::amzn-my-bucket-name",
    "arn:aws:s3:::amzn-my-bucket-name/*"
  ],
  "Condition": {
    "NumericLessThanIfExists": {
      "s3:TlsVersion": "1.2"
    }
  }
},
{
  "Sid": "DenyInsufficientSignature",
  "Effect": "Deny",
  "Principal": "*",
  "Action": "s3:*",
  "Resource": [
    "arn:aws:s3:::amzn-my-bucket-name",
    "arn:aws:s3:::amzn-my-bucket-name/*"
  ],
  "Condition": {
    "StringNotEqualsIfExists": {
      "s3:signatureversion": "AWS4-HMAC-SHA256"
    }
  }
}

If the intent is to do the reverse, to block HTTPS access due to the client software having trouble with HTTPS, then most likely, you'd have to block access to the HTTPS port 443 on your firewall. You can also try to write the reverse of the above policy statement enforcing HTTP, refusing it instead, but if the problem is with the client application's HTTPS/TLS implementation, the policy statement would probably be evaluated too late in the process to help, because the faulty HTTPS negotiation would've failed before the request even arrives in S3. Here's the policy statement anyway, in case you want to try it:

{
  "Sid": "DenySpecificRoleWithHttps",
  "Effect": "Deny",
  "Principal": { "AWS": "arn:aws:iam::000000000000:role/name-of-role-requiring-http-access" },
  "Action": "s3:*",
  "Resource": [
    "arn:aws:s3:::amzn-my-bucket-name",
    "arn:aws:s3:::amzn-my-bucket-name/*"
  ],
  "Condition": {
    "Bool": {
      "aws:SecureTransport": "true"
    }
  }
}
EXPERT
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago
  • I believe the question is to block HTTPs and only allow HTTP which I think isnt a great idea

  • @Gary Mclean As I wrote, access over HTTP is allowed by default, without requiring configuration, and access over HTTPS for clients that have trouble with it can be blocked on a firewall or another network security control mechanism, by blocking access to the HTTPS port 443, if the connection is going through a network that is controlled by the party wanting to restrict access.

  • Cheers bud

  • Thank you for the info. The traffic or connection does not traverse our firewall. It's the vendor's app accessing the S3 bucket from their end. We'll give the policy statement you provided a try.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions