Which solution will meet this requirement?

By:
On:
In: SCS-C01
Tagged:
With: 0 Comments
A company that builds document management systems recently performed a security review of its application on AWS.The review showed that uploads of documents through signed URLs into Amazon S3 could occur in the application without encryption in transit.A security engineer must implement a solution that prevents uploads that are not encrypted in transit.

Which solution will meet this requirement?

Ensure that all client implementations are using HTTPS to upload documents into the application.

Configure the s3-bucket-ssl-requests-only managed rule in AWS Config.

Add an S3 bucket policy that denies all S3 actions for condition “aws:secureTransport”: “false”.

Add an S3 bucket ACL with a grantee of AllUsers, a permission of WRITE, and a condition of secureTransport.

Explanations:

While using HTTPS is essential for encrypting data in transit, ensuring that all client implementations use HTTPS is not a direct solution to enforce encryption for uploads to S3. It relies on the clients to implement HTTPS correctly, which may not be guaranteed.

The s3-bucket-ssl-requests-only managed rule in AWS Config is intended to check whether S3 bucket policies enforce SSL requests. While this helps with monitoring compliance, it does not actively prevent uploads without encryption in transit.

Adding an S3 bucket policy that denies all S3 actions for the condition “aws”: “false” effectively prevents any uploads that are not using HTTPS (i.e., not encrypted in transit). This enforces the requirement at the bucket level.

Adding an S3 bucket ACL with a grantee of AllUsers and a permission of WRITE, along with a condition of secureTransport, is not a valid way to enforce encryption. Bucket ACLs do not support conditions, so this approach would not work to enforce encryption in transit for uploads.

Leave a Reply

Your email address will not be published. Required fields are marked *

3 × two =