Force httpS on AWS S3
The issue
Use HTTP protocol is becoming every day more and more discouraged in the web for security reasons, mainly for main in the middle account but also if you use wifi without encryption and other possibilities.
Like many others AWS services also in S3 you have the possibility to choose HTTP or HTTPS endpoint, you can check the full list in the official page region and endpoint for s3. This leave opens a possibility for a not secure access, so it is the case to block the access to HTTP endpoint usage.
The solution
It is in the bucket policy, in my bucket called tests3https I have configured this bucket policy to block any HTTP access.
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::tests3https",
"arn:aws:s3:::tests3https/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}The experiment
In the video, I make an example with aws s3 cli and s3cmd to access S3 resources using HTTP and HTTPS protocol and a policy to forbid the HTTP one.
If you want to repeat the experiment from yourself you can find useful these 2 links AWS CLI option , Install s3cmd on any Linux and also this nice Tutorial for tshark
Web Bucket option
If you want HTTPS you cannot use normal web bucket but you need to put it behind a CloudFront distribution and redirect the DNS to it.
Or if you want only to provide a single file over the bucket, you can use the option of a single file with a domain, not custom. Like I did it here.
About me and my book
If you like and find useful this article you can subscribe to my youtube channel AWS Tutorials — Giuseppe Borgese but also buy a copy of my last book on packpub website or on amazon.com. In the book, there is a whole chapter focus on security and a lot of practical examples.
Take a look to the examples on github repo and find also the discount
