How to Enforce SSL for an S3 Bucket

You enforce SSL for your S3 bucket by attaching a bucket policy with an aws:SecureTransport flag. That bucket policy must explicitly deny all non-SSL connections.

To only allow SSL connections on your S3 bucket, you have to use a “Deny” statement that denies every connection where SecureTransport is false. An “Allow” that permits HTTPS connections won’t have an effect on the HTTP access, because both are allowed by default. So we use a “Deny” statement.

To attach the deny policy, these are the steps:

1. Go to the S3 console: https://console.aws.amazon.com/s3

2. Choose “Buckets” on the left hand side and select the Bucket you want to secure

3. Navigate to the Permissions tab

4. Under Bucket policy, click “Edit”

5. If the bucket policy is currently empty, simply replace the template inside the editor with this policy (but remember to replace your-s3-bucketname with your own bucket name):

{
  "Version": "2012-10-17",
  "Id": "ExamplePolicyId",
  "Statement": [
        {
            "Sid": "EnforceSSL",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::your-s3-bucketname",
                "arn:aws:s3:::your-s3-bucketname/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
  ]
}

If the bucket already has a policy attached, insert just the deny part into the statement array (with your bucket name for the resource):



Leave a Comment