Force SSL on Amazon S3
20,162
Solution 1
I believe this can be achieved using a bucket policy. Deny all HTTP requests to the bucket in question using the condition aws:SecureTransport: false.
The following is not tested but it should give you an idea of how to set it up for your case.
{
"Statement":[
{
"Action": "s3:*",
"Effect":"Deny",
"Principal": "*",
"Resource":"arn:aws:s3:::bucketname/*",
"Condition":{
"Bool":
{ "aws:SecureTransport": false }
}
}
]
}
Solution 2
Here you allow your incoming traffic but refuse the non SSL one. If you want to go back just remove the 2nd statement:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::yourbucketnamehere/*"
},
{
"Sid": "PublicReadGetObject",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::yourbucketnamehere/*",
"Condition":{
"Bool":
{ "aws:SecureTransport": false }
}
}
]
}
Don't forget to put your bucket name at yourbucketnamehere.
Now you need to install a SSL certificate. All the information can be found here.
Author by
Alex
Updated on December 05, 2020Comments
-
Alex over 3 years
Is it possible (via IAM, bucket policy, or otherwise) to force Amazon S3 to only serve content over HTTPS/SSL and deny all regular, unencrypted HTTP access?
-
Chris F over 5 yearsThis didn't work for me, that is, I can still access my.website.com.s3-website-us-east-1.amazonaws.com, which is the S3 endpoint
-
Joshua Pinter over 4 yearsWow, this actually worked really well. Much simpler than the AWS Policy Generator. Thanks!
