Enforce Encryption in Transit with an S3 Bucket Policy

Using an S3 Bucket Policy it is possible to force traffic to be encrypted in transit, by implementing a conditional DENY.

   {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "AllowGetObject",
              "Effect": "Allow",
              "Principal": {
                  "AWS": "*"
              },
              "Action": "s3:GetObject",
              "Resource": "arn:aws:s3:::{bucket name here}/*"
          },
          {
              "Sid": "DenyUnencryptedGetObject",
              "Effect": "Deny",
              "Principal": {
                  "AWS": "*"
              },
              "Action": "s3:GetObject",
              "Resource": "arn:aws:s3:::{bucket name here}/*",
              "Condition": {
                  "Bool": {
                      "aws.SecureTransport": false
                  }
              }
          }
      ]
  }

You will still need to provide a policy statement to allow the encrypted traffic, as every action is DENY by default.

My preference for allowing access to objects stored in S3 is to keep the S3 Bucket private, and use CloudFront with an an Origin Access Identity. This approach allows encryption in transit to be enforced, and HTTP requests can be automatically redirected to HTTPS.

It also facilitates the attachment of a WebACL for filtering traffic with Web Application Firewall (WAF) rules, and you can take full advantage of the caching capabilities of the globally distributed CloudFront Content Delivery Network (CDN).

If you liked this post, you may also be interested in...