Is it possible (via IAM, bucket policy, or otherwise) to force Amazon S3 to only serve content over HTTPS/SSL and deny all regular, unencrypted HTTP access?
Asked
Active
Viewed 2.9k times
2 Answers
48
I believe this can be achieved using a bucket policy. Deny all HTTP requests to the bucket in question using the condition aws:SecureTransport: false.
The following is not tested but it should give you an idea of how to set it up for your case.
{
"Statement":[
{
"Action": "s3:*",
"Effect":"Deny",
"Principal": "*",
"Resource":"arn:aws:s3:::bucketname/*",
"Condition":{
"Bool":
{ "aws:SecureTransport": false }
}
}
]
}
-
2This didn't work for me, that is, I can still access http://my.website.com.s3-website-us-east-1.amazonaws.com, which is the S3 endpoint – Chris F Sep 07 '18 at 18:21
-
Wow, this actually worked really well. Much simpler than the AWS Policy Generator. Thanks! – Joshua Pinter Sep 08 '19 at 02:56
5
Here you allow your incoming traffic but refuse the non SSL one. If you want to go back just remove the 2nd statement:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::yourbucketnamehere/*"
},
{
"Sid": "PublicReadGetObject",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::yourbucketnamehere/*",
"Condition":{
"Bool":
{ "aws:SecureTransport": false }
}
}
]
}
Don't forget to put your bucket name at yourbucketnamehere.
Now you need to install a SSL certificate. All the information can be found here.
Manfred Radlwimmer
- 13,257
- 13
- 53
- 62
Sébastien Coste
- 309
- 2
- 11