Skip to content

Instantly share code, notes, and snippets.

@steinsag

steinsag/s3BucketPolicyEncryptionSSL.json

Created June 11, 2014 12:03
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save steinsag/bcc29d9c304ed4925e76 to your computer and use it in GitHub Desktop.
Save steinsag/bcc29d9c304ed4925e76 to your computer and use it in GitHub Desktop.
Download ZIP
S3 bucket policy to enforce encryption and https:// access
Raw
s3BucketPolicyEncryptionSSL.json
{
"Version": "2008-10-17",
"Id": "Policy-GENERATED-ID",
"Statement": [
{
"Sid": "DenyUnSecureCommunications",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::S3-BUCKET-ID",
"Condition": {
"Bool": {
"aws:SecureTransport": false
}
}
},
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::S3-BUCKET-ID/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
}
]
}
@yvele
Copy link

yvele commented Dec 4, 2018
edited

Your DenyUnEncryptedObjectUploads condition only deny aws:kms and still allow no encryption at all

"Condition": {
  "StringNotEquals": {
    "s3:x-amz-server-side-encryption": "AES256"
  }
}

To disable no encryption (but sill allow both aws:kms and AES256 you should do

"Condition": {
  "Null": {
    "s3:x-amz-server-side-encryption": "true"
  }
}

see https://aws.amazon.com/blogs/security/how-to-prevent-uploads-of-unencrypted-objects-to-amazon-s3/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment