MEDIUM S3 · CIS 2.1.1

S3 bucket denies HTTP

Check ID: aws-s3-006

AWS-S3-006 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if S3 buckets have a bucket policy that denies non-HTTPS (HTTP) requests using the aws:SecureTransport condition.

Why it matters

Without a deny-HTTP policy, data uploaded to or downloaded from S3 can travel unencrypted over the internet. Even if server-side encryption is enabled, the transport layer is unprotected. AWS transmits S3 data over HTTPS by default for most SDK and CLI operations, but older applications, misconfigured clients, or manual curl commands can still use HTTP. A man-in-the-middle attacker on the network path could intercept credentials, PII, or other sensitive data in transit.

Common causes

Many teams enable server-side encryption and assume transport is also covered. The deny-HTTP policy requires an explicit bucket policy statement that teams forget to add, especially when buckets are created via Terraform modules that handle encryption but not transport security. Legacy applications that originally used HTTP endpoints are another common gap.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws s3api put-bucket-policy --bucket BUCKET_NAME --policy '{"Version":"2012-10-17","Statement":[{"Sid":"DenyHTTP","Effect":"Deny","Principal":"*","Action":"s3:*","Resource":["arn:aws:s3:::BUCKET_NAME","arn:aws:s3:::BUCKET_NAME/*"],"Condition":{"Bool":{"aws:SecureTransport":"false"}}}]}'

Remediation: Terraform

resource "aws_s3_bucket_policy" "deny_http" {
  bucket = aws_s3_bucket.example.id
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Sid       = "DenyHTTP"
      Effect    = "Deny"
      Principal = "*"
      Action    = "s3:*"
      Resource  = [
        aws_s3_bucket.example.arn,
        "${aws_s3_bucket.example.arn}/*"
      ]
      Condition = { Bool = { "aws:SecureTransport" = "false" } }
    }]
  })
}

Compliance mapping

This check maps to CIS 2.1.1 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

AWS Security Audit: 17 Issues in Every Account →

Related S3 checks

HIGH aws-s3-001

Public S3 buckets

LOW aws-s3-002

S3 bucket encryption

LOW aws-s3-003

S3 bucket versioning

← All checks