Allow only HTTPS on an S3 Bucket

Oct 6 2014

It is possible to disable HTTP access on S3 bucket, limiting S3 traffic to only HTTPS requests. The documentation is scattered around the Amazon AWS documentation, but the solution is actually straightforward.

All you need to do to block HTTP traffic on an S3 bucket is add a Condition in your bucket's policy. AWS supports a global condition for verifying SSL. So you can add a condition like this:

"Condition": {
  "Bool": {
    "aws:SecureTransport": "true"
  }
}

Here's a complete example:

{
    "Version": "2008-10-17",
    "Id": "some_policy",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my_bucket/*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "true"
                }
            }
        }
    ]
}

Now accessing the contents of my_bucket over HTTP will produce a 403 error, while using HTTPS will work fine.



comments powered by Disqus