[Turbot On] Encryption in Transit for S3 Buckets

How to enforce all access to Amazon S3 to be encrypted with TLS.

By default, Amazon S3 allows unencrypted (http) connections to buckets, meaning that your users could `put` or `get` S3 objects without the data being encrypted in transit. This makes sense if you are hosting a public website, but is a serious concern for any other use.

Because end-users communicate with S3 over the public internet (yes, even if you have Direct Connect) it is vital that the data they put and read into those buckets is encrypted while in motion across the network.

Encryption in transit helps prevent snooping and manipulation of network traffic using machine-in-the-middle or similar attacks. For Amazon S3, it is best practice to allow only encrypted connections over HTTPS (TLS) using the aws:SecureTransport condition on the bucket policy. 

This week we will look at how Turbot can help enforce encryption in transit on every bucket across all your AWS accounts.

Traditional Workflow

To enforce TLS encryption for all operations against the bucket, an IAM resource policy must be applied to the bucket.  Developers can add this policy to the bucket when they create it (or not) and it can be added or removed by any S3 administrator at any point in time. Also, because bucket policies can contain many statements it can be difficult at scale to test if the correct policy is effective.

Here is an example of a correct policy statement for a bucket named `bob-demo-bucket`:

You will notice that the policy implements a double negative, let’s break it down: Deny ("Effect": "Deny") all actions ("Action": "s3:*") to anyone ("Principal": "*") if ("Condition") secure access is not enabled ("aws:SecureTransport": "false"). 

Get it done with Turbot

In Turbot, encryption in transit guardrails are readily available to control your cloud resource configurations.  We can set existing encryption in transit policies in a few clicks;

Create a new policy to enforce the bucket policy to require encryption in transit:

After setting the policies, Turbot automation will identify all S3 buckets without the encryption in transit configuration in their resource policy. Once a non-compliant resource is found, Turbot will either create a bucket policy (if one does not exist) or update the current policy to include the correct aws:SecureTransport statement.  To evaluate how many buckets in your environment would be affected by this policy change we suggest setting the value to `Check: Enabled` at the Turbot level, and then selectively applying the enforcement setting to development and/or sandbox environments to see how the corrective controls will work in practice.

Make it happen

See for yourself how easy it is to enforce encryption in transit across all of your S3 buckets. The policy example to apply to your environment is available as a Terraform template in the Turbot Development Kit (TDK). If you need any assistance getting this configured please reach out to Turbot Support, and keep an eye on your inbox for another Turbot tip next week!