Everything ~ Cloud Security
Restricting Access to Non-SSL S3 Objects (website) using Bucket Policies

Restricting Access to Non-SSL S3 Objects (website) using Bucket Policies

Goodycyb's photo
Goodycyb
·

5 min read

Table of contents

Introduction

Amazon S3 objects are files with associated metadata, and their security can be ensured through policies. To protect data during transfer, Amazon S3 uses the HTTPS protocol for encryption. Policies can be established to safeguard S3 objects by disallowing non-SSL access and permitting only SSL access.

An overview of AWS Storage Objects reveals that Amazon S3 offers convenient and universal data upload and retrieval from any internet location. It securely stores various types of data, including text files, photos, and videos, in designated buckets. These buckets serve as secure containers for objects. By default, authorized users have access to all Amazon S3 buckets, but specific object restrictions can be set up using bucket policies. The HTTPS protocol is employed for secure connections when transmitting data to and from Amazon S3. Configuring object policies enables the allowance of HTTPS connections while denying HTTP connections, effectively preventing potential man-in-the-middle attacks by blocking HTTP connections for S3 objects.

Lab Objective

The objective of this lab is to demonstrate the process of restricting non-SSL (insecure) access to S3 objects.

Disclaimer

Please note that the AWS management console is subject to change over time. While the instructions provided are accurate at the time of writing, there may be updates or modifications to the console's interface or functionality. It is advisable to refer to the official AWS documentation for the most up-to-date and accurate information regarding the AWS management console

Lab Tasks

  • Sign in to your AWS management console and search for S3 in the search bar.

  • On the Amazon S3 Page, click on Create Bucket.

  • Within the Create bucket window, designate the Bucket name as "d3m0-01" Next, choose a suitable AWS Region from the available options. In this lab, the region selected is us-west-2 (Oregon)

  • Under Object Ownership, click on the ACLs enabled radio button and retain the other default settings. Scroll down to the Block Public Access settings for this bucket. Uncheck Block all public access to allow public access to the bucket. Check the acknowledgement.

  • Retain the other default settings. Scroll down to the bottom and click on Create bucket.

  • The bucket d3m0-02 has been successfully created. Next, create a new object (a webpage) under the d3m0-02 bucket.

  • Open Notepad and paste the code, then save it as index.html
<!DOCTYPE html>
<html>
<body>

<h1>My First Website</h1>
<p>Welcome to d3m0-02 website !!</p>

</body>
</html>

  • Click on the bucket name “d3m0-02”. Next, upload the above-created webpage as an object to the S3 bucket that can be publicly accessed. Click the Upload button.

  • On the Upload page, click the Add Files button to add the webpage (index.html) file.

  • Once the file (index.html) is added, scroll down and click on Upload to upload the file.

  • After a few seconds, you will see the Upload succeeded message. Then, click on Close.

  • On the d3m0-02 bucket page, To allow public access to the web page, you need to mark the checkbox next to the index.html object. Next, click on the Actions drop-down button and choose the "Make public using the ACL" option from the available list.

  • In the Make Public section that appears, click on the Make Public button to continue.

  • Once the message indicating successful public access editing is displayed, click on the "Close" button.

  • On the d3m0-02 bucket page, Click on the index.html object under Objects.

  • Once the index.html object page is opened, you will be able to view the Object URL, which is accessible to the public. Please copy the URL.

  • To view the web page content, open a fresh browser tab, then paste the copied Object URL into the address bar and hit Enter.

  • Take note of the URL displayed in the address bar. The presence of a lock icon within the URL signifies that the page can be accessed securely.

  • Modify the URL from the HTTPS request to an HTTP request and press Enter.

  • Upon accessing the webpage, you will be presented with a page indicating that the connection is not secure.

Bucket Policy to Enforce only HTTPS Connection

Next, proceed with the implementation of a bucket policy that permits public access to the object only through secure connections (HTTPS).

  • Switch to the Amazon S3 console and click on the d3m0-02 bucket, then navigate to the Permissions tab.

  • Scroll down and click on Edit under the Bucket Policy section.

  • Copy and paste the following code in the bucket policy editor. Then, scroll down and click on Save Changes.

NB: Replace d3m0-02 in “Resource” with your bucket name arn:aws:s3:::your-bucket-name/*

{
  "Version": "2012-10-17",
  "Id": "AllowOnlyHTTPSAccess",
  "Statement": [
    {
      "Sid": "DenyInsecureConnections",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::d3m0-02/*"
      ],
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}

  • Then, scroll down and click on Save Changes.

The message indicating that the bucket policy has been successfully edited is displayed.

  • Next, verify the publicly accessible object’s secure connection by repeating the previous steps with HTTP and HTTPS. Navigate to the index.html object URL

The website is accessible via HTTPS (secure connection)

  • Now Edit the URL by replacing the HTTPS with HTTP and pressing ENTER

Due to access restrictions implemented in the bucket policy, you are currently unable to view the content using an HTTP connection.

By completing this lab, you as a cloud security engineer gain the ability to restrict HTTP connections to the objects stored within an S3 bucket using a bucket policy.

Deleting Created Resources

To avoid incurring charges, it is important to delete, shut down, or terminate all resources that have been created and utilized in this lab.

  • Proceed with deleting the instances that were created during this lab session. Go to the Buckets section within Amazon S3 and locate the bucket that was specifically created for this lab, identified as "d3m0-02". Select the checkbox corresponding to this bucket and click on the "Empty" button to remove all its contents before proceeding with deletion. In the subsequent pop-up window, enter the phrase "permanently delete" and click on the "Empty" button to finalize the deletion process.

  • Navigate to Buckets under Amazon S3 and select the checkbox for the bucket created in this lab (here, d3m0-02). Click on the Delete button. In the pop-up window, enter the bucket's name and click on the Delete button.

Did you find this article valuable?

Support Everything ~ Cloud Security by becoming a sponsor. Any amount is appreciated!

S3-bucketStatic Websitestatic website deployment in AWSWeb DevelopmentAWS Community Builder