S3 BucketPolicy Permits Non-SSL Requests
s3-bucket-policy-non-ssl
What this rule checks
Detects AWS::S3::BucketPolicy resources that lack a Deny statement enforcing aws:SecureTransport. Without this, the bucket accepts plain HTTP requests in addition to HTTPS.
How to fix it
- 1Add a Deny statement with Action s3:* and Condition Bool aws:SecureTransport=false
- 2Apply the Deny to both the bucket ARN and the bucket-objects ARN (arn/* )
- 3Use BoolIfExists if the policy already accepts unsigned requests via specific clauses
import { aws_s3 as s3, aws_iam as iam } from 'aws-cdk-lib';
const bucket = new s3.Bucket(this, 'Bucket');
bucket.addToResourcePolicy(new iam.PolicyStatement({
actions: ['s3:GetObject'],
resources: [bucket.arnForObjects('*')],
principals: [new iam.AccountRootPrincipal()],
}));import { aws_s3 as s3, aws_iam as iam } from 'aws-cdk-lib';
const bucket = new s3.Bucket(this, 'Bucket', { enforceSSL: true });
bucket.addToResourcePolicy(new iam.PolicyStatement({
actions: ['s3:GetObject'],
resources: [bucket.arnForObjects('*')],
principals: [new iam.AccountRootPrincipal()],
}));CDK Insights pinpoints the exact file and line in your CDK source for every finding, so you can jump straight to the fix.
Affected resource types
AWS::S3::BucketPolicyIntentional? Suppress this finding
Sometimes a flag is deliberate β a genuinely public endpoint, say. You can dismiss s3-bucket-policy-non-ssl and the reason is kept in the report, not silently hidden.
In .cdk-insights.json:
{
"ignoreRules": [
{ "id": "s3-bucket-policy-non-ssl", "reason": "Why this is intentional" }
]
}Or inline in your CDK code:
Validations.of(scope).acknowledge({
id: 'cdk-insights::s3-bucket-policy-non-ssl',
reason: 'Why this is intentional',
});Use the rule ID s3-bucket-policy-non-ssl shown above β not the CDK-* ID from SARIF / GitHub code scanning. To dismiss every finding on one construct instead, use ignorePaths. Suppression docs β
Catch this in your stack
$ npx cdk-insights scanCDK Insights runs this and 118+ other rules locally against your synthesised CDK app β free, no account, your code never leaves your machine.