By default, S3 buckets can be accessed through HTTP and HTTPs protocols.
As HTTP is a clear-text protocol, it lacks the encryption of transported data, as well as the capability to build an authenticated connection. It
means that a malicious actor who is able to intercept traffic from the network can read, modify or corrupt the transported content.
Ask Yourself Whether
- The S3 bucket stores sensitive information.
- The infrastructure has to comply with AWS Foundational Security Best Practices standard.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It’s recommended to enforce HTTPS only access by setting enforceSSL property to true
Sensitive Code Example
S3 bucket objects access through TLS is not enforced by default:
const s3 = require('aws-cdk-lib/aws-s3');
const bucket = new s3.Bucket(this, 'example'); // Sensitive
Compliant Solution
const s3 = require('aws-cdk-lib/aws-s3');
const bucket = new s3.Bucket(this, 'example', {
bucketName: 'example',
versioned: true,
publicReadAccess: false,
enforceSSL: true
});
See
