AWS S3 Bucket Policy Does Not Enforce HTTPS Request Only

Amazon S3 (Simple Storage Service) is a highly scalable object storage service provided by Amazon Web Services (AWS). Bucket policies in S3 are JSON-based access policy documents that allow you to manage access to your S3 buckets and the objects within them. By default, AWS S3 supports both HTTP and HTTPS requests. However, there are cases where the bucket policy does not enforce HTTPS requests only, which can pose security risks. This blog post will explore the core concepts, typical usage scenarios, common practices, and best practices related to this issue.

Table of Contents#

  1. Core Concepts
  2. Typical Usage Scenarios
  3. Common Practices
  4. Best Practices
  5. Conclusion
  6. FAQ
  7. References

Core Concepts#

AWS S3 Bucket Policy#

A bucket policy is a set of rules that define who can access your S3 bucket and how they can access it. It uses JSON syntax and can be used to control permissions at a granular level. Bucket policies can be used to allow or deny access to specific actions (such as s3:GetObject, s3:PutObject), specific IP ranges, or specific AWS accounts.

HTTP vs HTTPS#

HTTP (Hypertext Transfer Protocol) is a protocol used for transferring data over the web. It is a clear - text protocol, which means that all data transmitted using HTTP can be easily intercepted and read by anyone with access to the network. HTTPS (HTTP Secure) is an extension of HTTP that uses SSL/TLS encryption to secure the data transfer. This ensures that the data remains private and integral during transmission.

Why Enforce HTTPS?#

Enforcing HTTPS for S3 bucket access is crucial for security reasons. It protects sensitive data from being intercepted and tampered with during transmission. When a bucket policy does not enforce HTTPS requests only, it allows clients to access the bucket using unencrypted HTTP, which can lead to data leakage and security vulnerabilities.

Typical Usage Scenarios#

Legacy Applications#

Some legacy applications may not support HTTPS or may have difficulties in configuring HTTPS. In such cases, if the S3 bucket policy does not enforce HTTPS, these applications can continue to access the bucket using HTTP. For example, an old on - premise application that was developed before the widespread adoption of HTTPS may still rely on HTTP for data transfer.

Testing Environments#

In testing environments, developers may want to quickly test the functionality of their applications without having to worry about setting up HTTPS. If the S3 bucket policy does not enforce HTTPS, it allows for easier testing and debugging. For instance, during unit testing or integration testing, developers can use HTTP to access the S3 bucket to verify the data retrieval and storage functionality.

Internal Networks#

In some cases, when the S3 bucket is accessed within a secure internal network, the organization may consider the risk of using HTTP to be low. For example, if the internal network has strict access controls and firewalls in place, the organization may choose not to enforce HTTPS for S3 bucket access within the network.

Common Practices#

No Policy at All#

One common scenario is when there is no bucket policy at all. In this case, the default behavior of S3 allows both HTTP and HTTPS requests. If the bucket is public or has other forms of access control mechanisms (such as IAM roles), clients can access the bucket using either protocol.

{
    "Version": "2012-10-17",
    "Statement": []
}

Incomplete Policy Configuration#

Another common practice is an incomplete or misconfigured bucket policy. For example, a policy may be set up to allow access to specific actions but fails to include a rule to enforce HTTPS.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my - bucket/*"
        }
    ]
}

This policy allows any principal to perform the s3:GetObject action on all objects in the my - bucket bucket, but it does not enforce HTTPS.

Best Practices#

Enforce HTTPS in the Bucket Policy#

To enforce HTTPS, you can add a condition to your bucket policy that requires the use of SecureTransport.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my - bucket",
                "arn:aws:s3:::my - bucket/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

This policy denies all requests that do not use HTTPS (aws:SecureTransport is set to false).

Use AWS Certificate Manager (ACM)#

AWS Certificate Manager (ACM) can be used to obtain and manage SSL/TLS certificates for your S3 buckets. This simplifies the process of setting up HTTPS for your S3 bucket access. You can associate the ACM certificate with a CloudFront distribution in front of your S3 bucket to provide secure access.

Regularly Audit Bucket Policies#

Regularly review and audit your S3 bucket policies to ensure that they are up - to - date and enforce HTTPS. Use AWS IAM Access Analyzer to analyze the bucket policies and identify any security risks or non - compliant policies.

Conclusion#

In conclusion, while there are some legitimate reasons for not enforcing HTTPS in an S3 bucket policy, such as legacy applications, testing environments, or internal networks, it is generally a best practice to enforce HTTPS for security reasons. A bucket policy that does not enforce HTTPS can expose sensitive data to security risks. By following the best practices outlined in this blog, software engineers can ensure that their S3 bucket access is secure and protected.

FAQ#

Q1: Can I enforce HTTPS for only specific actions in the bucket policy?#

A1: Yes, you can. You can modify the bucket policy to include the aws:SecureTransport condition only for the specific actions you want to enforce HTTPS for. For example, you can enforce HTTPS only for s3:PutObject actions.

Q2: What happens if a client tries to access the bucket using HTTP when HTTPS is enforced?#

A2: If the bucket policy enforces HTTPS and a client tries to access the bucket using HTTP, the request will be denied according to the bucket policy. The client will receive an error message indicating that the request is not allowed.

Q3: Do I need to pay extra for using HTTPS with S3?#

A3: There is no additional charge from AWS for using HTTPS with S3. However, if you use a CloudFront distribution in front of your S3 bucket, there may be charges associated with CloudFront usage.

References#

2025-10