top of page

Keeping our S3 buckets safe in transit and in rest


When using AWS S3, our favorite AWS service for keeping static files, we have two ways of uploading objects, by HTTP or HTTPS, when we (or our applications) store files using the HTTP endpoint of S3, all the traffic that we send to S3 travels unencrypted.

If we use HTTP instead of HTTPS all requests and responses can be read by anyone monitoring the session so that any malicious actor can intercept the data. Never share your personal data on a website that doesn’t show the following:

To avoid this problem on S3, there are two things that we can do:

  • Always use the HTTPS endpoint, if you are using any AWS SDK that is the default behavior.

  • Deny all HTTP traffic on your S3 bucket Policy.

S3 bucket Policies are documents that allow you to protect access to all your S3 bucket objects, here is the policy that we need to enforce HTTPS traffic.

Also, to ensure that all the files on our S3 buckets are encrypted at rest, we have two options:

  • Set to default the encryption setting on the S3 bucket properties.

  • Add a statement to the S3 bucket policy to deny all PutObject operations that do not contain the encryption header.

Finally, when we build safe and reliable applications (not just for AWS S3), we must always ensure that all our data is encrypted in transit and in rest.

Hope you have learned something new, happy coding and see you in the cloud!