S3.5: S3 is accepting unencrypted HTTP requests

What does AWS Security Hub S3.5 check?

S3.5 evaluates whether a bucket policy denies requests that do not use SSL/TLS. It reports FAILED when no policy statement enforces the aws:SecureTransport condition, meaning the bucket will still answer plaintext HTTP requests.

Why does S3.5 matter?

Without the deny, an old client or a misconfigured SDK can send credentials and object data over unencrypted HTTP, where it is open to interception or tampering on the wire. The control is one of the most common failing findings precisely because the failure is silent — nothing breaks, the bucket just quietly accepts insecure traffic until an audit notices.

How do I fix S3.5?

1. Add a bucket-policy Deny statement on s3:* for Principal "*" with a condition of aws:SecureTransport=false.
2. Merge it into any existing policy rather than overwriting, so current Allow statements survive.
3. Re-run the control or check Security Hub to confirm it flips to PASSED, then enforce it estate-wide with AWS Config or an SCP.

# 1. The canonical statement Security Hub S3.5 looks for (merge into the existing policy).
cat <<'EOF'
{
  "Sid": "DenyInsecureTransport",
  "Effect": "Deny",
  "Principal": "*",
  "Action": "s3:*",
  "Resource": [
    "arn:aws:s3:::acme-prod-logs",
    "arn:aws:s3:::acme-prod-logs/*"
  ],
  "Condition": { "Bool": { "aws:SecureTransport": "false" } }
}
EOF
aws s3api put-bucket-policy --bucket acme-prod-logs --policy file://acme-prod-logs-policy.json

# 2. Swap a load balancer listener onto a recommended TLS policy (closes ELB.17).
aws elbv2 modify-listener \
  --listener-arn arn:aws:elasticloadbalancing:eu-west-1:123456789012:listener/app/web-prod/abc/def \
  --ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06