Allow only HTTPS on an S3 Bucket
Oct 6 2014
It is possible to disable HTTP access on S3 bucket, limiting S3 traffic to only HTTPS requests. The documentation is scattered around the Amazon AWS documentation, but the solution is actually straightforward.
All you need to do to block HTTP traffic on an S3 bucket is add a Condition
in your bucket's policy. AWS supports a global condition for verifying SSL.
So you can add a condition like this:
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
Here's a complete example:
{
"Version": "2008-10-17",
"Id": "some_policy",
"Statement": [
{
"Sid": "AddPerm",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_bucket/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}
Now accessing the contents of my_bucket
over HTTP will produce a 403 error,
while using HTTPS will work fine.