By default, S3 buckets can be accessed through HTTP and HTTPs protocols.

As HTTP is a clear-text protocol, it lacks the encryption of transported data, as well as the capability to build an authenticated connection. It means that a malicious actor who is able to intercept traffic from the network can read, modify or corrupt the transported content.

Ask Yourself Whether

• The S3 bucket stores sensitive information.
• The infrastructure has to comply with AWS Foundational Security Best Practices standard.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It’s recommended to enforce HTTPS only access by setting enforceSSL property to true

Sensitive Code Example

S3 bucket objects access through TLS is not enforced by default:

const s3 = require('aws-cdk-lib/aws-s3');

const bucket = new s3.Bucket(this, 'example'); // Sensitive

Compliant Solution

const s3 = require('aws-cdk-lib/aws-s3');

const bucket = new s3.Bucket(this, 'example', {
    bucketName: 'example',
    versioned: true,
    publicReadAccess: false,
    enforceSSL: true
});

See

• OWASP Top 10 2021 Category A2 - Cryptographic Failures
• OWASP Top 10 2021 Category A5 - Security Misconfiguration
• OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
• OWASP Top 10 2017 Category A6 - Security Misconfiguration
• AWS documentation - Enforce encryption of data in transit
• AWS Foundational Security Best Practices controls - S3 buckets should require requests to use Secure Socket Layer
• MITRE, CWE-319 - Cleartext Transmission of Sensitive Information
• AWS CDK version 2 - Bucket