In my company we have multiple S3 buckets, and we want to enforce HTTPS only traffic to them. These buckets are up and running, i.e lambda functions and external integrations (e.g security monitoring systems) either write objects to them or fetch objects from them all the time.

I am planning to enfore the following ACL policy:

{
    "Version": "2012-10-17",
    "Id": "Enforce HTTPS",
    "Statement": [
        {
            "Sid": "HTTPSOnly",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::mybucket",
                "arn:aws:s3:::mybucket/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]

What are the steps I should take to ensure the lambda functions and the external integrations will still be able to write/read from the buckets after implementing the ACL policy?

Thank you in advance

CodePudding user response：

S3 operations you do from Lambda functions and AWS CLI uses TLS by default. You would need to check for any external integrations that uses S3 use SSL or does S3 operations in a managed way. If that is the case, no problem I would say.

One small thing to note. The condition added at the end is super important :). I have missed the condition part during a merge process, by mistake. That has added an explicit deny, which denied all the S3 request. Root user can only help updating the policy again.

Another thing to note, if you have a separate service that takes care of deploying this change, you would need to allow that service's role to perform s3:PutBucketPolicy operation so that modifying the bucket policy could be possible there after.