How To

Encryption in transit for S3 buckets

How to enforce all access to Amazon S3 to be encrypted with TLS.

Bob Tordella
5 min. read - Mar 08, 2021
How to enforce all access to Amazon S3 to be encrypted with TLS.

Remote Access Using SSH Cryptographic Keys

By default, Amazon S3 allows unencrypted (http) connections to buckets, meaning that your users could put or get S3 objects without the data being encrypted in transit. This makes sense if you are hosting a public website, but is a serious concern for any other use.

Because end-users communicate with S3 over the public internet (yes, even if you have Direct Connect) it is vital that the data they put and read into those buckets is encrypted while in motion across the network.

Encryption in transit helps prevent snooping and manipulation of network traffic using machine-in-the-middle or similar attacks. For Amazon S3, it is best practice to allow only encrypted connections over HTTPS (TLS) using the aws:SecureTransport condition on the bucket policy.

This post looks at how Turbot Guardrails can help enforce encryption in transit on every bucket across all your AWS accounts.

Traditional Workflow

To enforce TLS encryption for all operations against the bucket, an IAM resource policy must be applied to the bucket. Developers can add this policy to the bucket when they create it (or not) and it can be added or removed by any S3 administrator at any point in time. Also, because bucket policies can contain many statements it can be difficult at scale to test if the correct policy is effective.

Here is an example of a correct policy statement for a bucket named bob-demo-bucket:

You will notice that the policy implements a double negative, let’s break it down: Deny ("Effect": "Deny") all actions ("Action": "s3:") to anyone ("Principal": "") if ("Condition") secure access is not enabled ("aws:SecureTransport": "false").

Get it done with Turbot Guardrails

In Turbot Guardrails, encryption in transit guardrails are readily available to control your cloud resource configurations. We can set existing encryption in transit policies in a few clicks;

Create a new policy to enforce the bucket policy to require encryption in transit:

After setting the policies, Turbot Guardrails automation will identify all S3 buckets without the encryption in transit configuration in their resource policy. Once a non-compliant resource is found, Turbot Guardrails will either create a bucket policy (if one does not exist) or update the current policy to include the correct aws:SecureTransport statement. To evaluate how many buckets in your environment would be affected by this policy change we suggest setting the value to Check: Enabled at the Turbot level, and then selectively applying the enforcement setting to development and/or sandbox environments to see how the corrective controls will work in practice.

Make it happen!

See for yourself how easy it is to enforce encryption in transit across all of your S3 buckets. A ready-to-run Terraform template is available to enable this configuration from the Turbot Development Kit (TDK). If you need any assistance, let us know in our Slack community #guardrails channel. If you are new to Turbot, connect with us to learn more!