Enforce TLS for S3

2024-12-22 02:55:58 +00:00 · 2024-12-10 17:18:56 +00:00 · 2024-12-10 17:18:56 +00:00 · 0a224fd84a
commit 0a224fd84a
parent 612d1bfb53
1 changed files with 82 additions and 0 deletions
--- a/docs/notes/infrastructure/s3-require-tls.md
+++ b/docs/notes/infrastructure/s3-require-tls.md
@ -0,0 +1,82 @@
+---
+title: Enforce TLS for S3
+tags:
+  - AWS
+sources:
+  - https://aws.amazon.com/blogs/storage/enforcing-encryption-in-transit-with-tls1-2-or-higher-with-amazon-s3/
+---
+
+IAM policies can have a `Condition`, which must pass for the policy to apply. This can be used to require HTTPS and/or the TLS version:
+
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": "*",
+            "Action": "s3:GetObject",
+            "Resource": "arn:aws:s3::my-bucket/*",
+            "Condition": {
+                "Bool": {
+                    "aws:SecureTransport": "true"
+                 },
+                "NumericGreaterThanEquals": {
+                    "s3:TlsVersion": [
+                        "1.2"
+                    ]
+                }
+            }
+        }
+    ]
+}
+```
+
+The above policy allows anyone to access an object, so long as their connection is both secure and using TLS 1.2+.
+
+!!! warning
+    When enforcing HTTPS, S3 will **not** perform a redirect. A HTTP connection is just shown as a 403 (since the policy didn't apply).
+
+    If you need a redirect, it's best to handle this using CloudFront.
+
+## ACLs
+
+If the object is made public by an ACL rather than a rule, the policy condition has no effect. Instead, use a Deny rule to block insecure access.
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "DenyOutdatedTLS",
+            "Effect": "Deny",
+            "Principal": "*",
+            "Action": "s3:*",
+            "Resource": "arn:aws:s3::my-bucket/*",
+            "Condition": {
+                "Bool": {
+                    "aws:SecureTransport": "true"
+                },
+                "NumericLessThan": {
+                    "s3:TlsVersion": [
+                        "1.2"
+                    ]
+                }
+            }
+        },
+        {
+            "Sid": "DenyHTTP"
+            "Effect": "Deny",
+            "Principal": "*",
+            "Action": "s3:*",
+            "Resource": "arn:aws:s3::my-bucket/*",
+            "Condition": {
+                "Bool": {
+                    "aws:SecureTransport": "false"
+                },
+            }
+        }
+    ]
+}
+```