6

I know how to enforce SSL on S3 via bucket policies.

But even with this bucket policy, a presigned S3 object URL can be accessed both using HTTP and HTTPS.

Is there a way to enforce SSL on presigned URL? Either using a bucket policy or using a specific option during presign.

Yves M.
  • 29,855
  • 23
  • 108
  • 144

1 Answers1

4

Modify the policy that grants access to the principal that's signing the URL, adding this condition key test.

"Condition": {
    "Bool": {
         "aws:SecureTransport": "true"
    }
}

If requests are made with those signed URLs using HTTP, they'll be denied. This change will be retroactive, impacting even signed URLs you already generated, because it's evaluated when the URL is actually used.

Alternately, create a bucket policy to deny all access to the bucket when the condition is false.

https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/

Yves M.
  • 29,855
  • 23
  • 108
  • 144
Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427