Terraform Allows Insecure Transport
Description
Detects AWS S3 bucket policies in Terraform configurations that do not enforce secure transport (HTTPS). When S3 buckets allow insecure transport, data can be transmitted over unencrypted HTTP connections, potentially exposing sensitive information to interception.
Detection Strategy
• Identifies Terraform resource blocks defining AWS S3 bucket policies (aws_s3_bucket_policy)
• Examines the policy statements to check for the presence of secure transport enforcement
• Reports a vulnerability if the bucket policy does not include the 'aws:SecureTransport' condition set to true
• Flags configurations that would allow data transfer over non-HTTPS connections
Vulnerable code example
resource "aws_s3_bucket_policy" "vulnerable_bucket" {
bucket = aws_s3_bucket.b.id
# Vulnerable: Allows insecure transport by setting aws:SecureTransport to false
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{...✅ Secure code example
resource "aws_s3_bucket_policy" "secure_bucket" {
bucket = aws_s3_bucket.b.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "AllowSecureTransportOnly"...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.