AWSOverview
Overview
At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.
Remediation guidance
From Console
- Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
- Select the Check box next to the Bucket.
- Click on Permissions.
- Click Bucket Policy
- Add this to the existing policy filling in the required information
{
"Sid":"Deny Plain HTTP",
"Effect":"Deny",
"Principal":"*",
"Action":"s3:GetObject",
"Resource":"arn:aws:s3:::<bucket_name>/*",
"Condition":{
"Bool":{
"aws:SecureTransport":"false"
}
..
- Choose Save
- Repeat for all the buckets in your AWS account that contain sensitive data.
Using AWS Policy Generator
- Repeat steps 1-4 above.
- Click on Policy Generator at the bottom of the Bucket Policy Editor
- Select Policy Type
S3 Bucket Policy - Add Statements
- Effect = Deny
- Principal = *
- AWS Service = Amazon S3
- Actions = GetObject
- Amazon Resource Name =
- Generate Policy
- Copy the text and add it to the Bucket Policy.
From Command Line
- Export the bucket policy to a json file.
aws s3api get-bucket-policy --bucket <bucket_name> --query Policy --output text > policy.json
- Modify the policy.json file by adding in this statement
{
"Sid": "Deny Plain HTTP",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucket_name>/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
- Apply this modified policy back to the S3 bucket:
aws s3api put-bucket-policy --bucket <bucket_name> --policy file://policy.json
Multiple Remediation Paths
AWS
SERVICE-WIDE (RECOMMENDED when many resources are affected): Deploy centralized guardrails and remediation using AWS Config Conformance Packs and (if applicable) AWS Organizations SCPs.
aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml
ASSET-LEVEL: Apply the resource-specific remediation steps above to only the affected assets.
PREVENTIVE: Add CI/CD policy checks (CloudFormation/Terraform validation) before deployment to prevent recurrence.
References for Service-Wide Patterns
- AWS Config Conformance Packs: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
- AWS Organizations SCP examples: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- AWS: deploy/adjust organization conformance packs and policy guardrails.
aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
S3 Bucket Policy is set to deny HTTP requests
Connectors
AWS
Covered asset types
Bucket
Expected check: eq []
buckets(where: {OR: [{policyDocument_MATCHES: "^((?!(?i)\"effect\":\"deny\").)*$"},{policyDocument_MATCHES: "^((?!(?i)\"Bool|aws:SecureTransport|false\").)*$"}]}) {...AssetFragment}
