How do I force SSL-only access to an S3 bucket?

Add a bucket policy with a Deny statement using the condition: {"Bool": {"aws:SecureTransport": "false"}}. This denies all requests that don't use HTTPS (SSL). Apply this to all principals and all objects in the bucket to ensure only encrypted connections are allowed.

Why should I enforce SSL-only access on S3 buckets?

Enforcing SSL ensures data in transit between clients and S3 is encrypted, protecting against man-in-the-middle attacks. It is a security best practice required by compliance frameworks like PCI DSS, HIPAA, and SOC 2, and is recommended in the AWS Security Hub and CIS AWS Foundations Benchmark.

What does the aws:SecureTransport condition key do in S3 policies?

The aws:SecureTransport condition key evaluates to true when a request is made over HTTPS and false when made over HTTP. By denying requests where aws:SecureTransport is false, you effectively block all unencrypted HTTP access to your S3 bucket, requiring all clients to use HTTPS.

Does enforcing SSL on S3 affect AWS services that access the bucket?

No, AWS services like CloudFront, Lambda, and EC2 access S3 over HTTPS by default. Enforcing SSL will not break these integrations. The main impact is on older scripts or applications that may use HTTP S3 endpoints (http://bucket.s3.amazonaws.com), which will need to be updated to HTTPS.

AWS S3 Bucket Policy with Forcefully SSL Requests Only

June 8, 2020 / Nirav Shah

In this blog, our AWS team will explain to you how can we create a secure bucket policy on S3.
Confusing about “secure bucket”???
Have you ever heard about “HTTP and HTTPS protocols”

AWS S3 Bicket Policy Forcefully SSL Requests Only

The above image shows that https requests should be encrypted, so that no one hacker can hack our website.
Just the same thing we will step in AWS.
So now let’s get started with log in to your AWS console …… 🙂

Step 1

Go to the S3 console and create a bucket and add some objects on the bucket.
In our case, my bucket name is “mywebsite1996”
And we have created Two folders that are

private
public

In this blog, we can use the public folder,

Note

Our bucket is in publicly accessible,

AWS S3 Bicket Policy Forcefully SSL Requests Only

So in our public folder, I have uploaded a pic of my AWS certification badge,

URL https://mywebsite1996.s3.amazonaws.com/public/AWS_Solutions_Architect_logo_aws_solutions_architect_aws_solutions_architect.png

AWS S3 Bicket Policy Forcefully SSL Requests Only

Now change the URL http://mywebsite1996.s3.amazonaws.com/public/AWS_Solutions_Architect_logo_aws_solutions_architect_aws_solutions_architect.png

In both of the above images, we can say that the https request is very secure.

AWS S3 Bicket Policy Forcefully SSL Requests Only

Step 2

Go to the “bucket policy” in the permission section

AWS S3 Bicket Policy Forcefully SSL Requests Only

Step 3

So now we have to create a custom policy.

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::/public/*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

Here my bucket name is “mywebsite1996”

AWS S3 Bicket Policy Forcefully SSL Requests Only

And click on “save button”
On the above policy, you can see that we have denied the specific folder that is “public” ( you can also apply to the bucket)
Now go to the “public folder “ and open the object URL
Your URL looks like this,
https://mywebsite1996.s3.amazonaws.com/public/AWS_Solutions_Architect_logo_aws_solutions_architect_aws_solutions_architect.png

AWS S3 Bicket Policy Forcefully SSL Requests Only

And click on the URL you will see the image, for here we have uploaded my certification badge

AWS S3 Bicket Policy Forcefully SSL Requests Only

Now try to access the URL via http request
You will see this,
http://mywebsite1996.s3.amazonaws.com/public/AWS_Solutions_Architect_logo_aws_solutions_architect_aws_solutions_architect.png

AWS S3 Bicket Policy Forcefully SSL Requests Only

Great, you finally did it……

Spread Love By Sharing:

Nirav Shah

Nirav Shah is the Director of Eternal Web Pvt Ltd, an AWS Advanced Consulting Partner and certified Odoo Partner based in the UK. With over a decade of experience in cloud computing, digital transformation, and ERP implementation, Nirav helps enterprises adopt the right technology to solve complex business challenges. He specialises in AWS infrastructure, Odoo ERP, and web development solutions for businesses across the UK and beyond.