S3 Bucket Without SSL In Write Actions

  • Query id: 38c64e76-c71e-4d92-a337-60174d1de1c9
  • Query name: S3 Bucket Without SSL In Write Actions
  • Platform: CloudFormation
  • Severity: High
  • Category: Encryption
  • URL: Github

Description

S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL)
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: S3Bucket
      AccessControl: PublicRead
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html
    DeletionPolicy: Retain
  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      PolicyDocument:
        Id: MyPolicy
        Version: 2012-10-17
        Statement:
          - Sid: PublicReadForGetBucketObjects
            Effect: Allow
            Principal: '*'
            Action: 's3:GetObject'
            Resource: !Join
              - ''
              - - 'arn:aws:s3:::'
                - !Ref S3Bucket
                - /*
      Bucket: !Ref S3Bucket
Outputs:
  WebsiteURL:
    Value: !GetAtt
      - S3Bucket
      - WebsiteURL
    Description: URL for website hosted on S3
  S3BucketSecureURL:
    Value: !Join
      - ''
      - - 'https://'
        - !GetAtt
          - S3Bucket
          - DomainName
    Description: Name of S3 bucket to hold website content
Postitive test num. 2 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucket2:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: S3Bucket2
      AccessControl: PublicRead
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html
    DeletionPolicy: Retain
  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      PolicyDocument:
        Id: MyPolicy
        Version: 2012-10-17
        Statement:
          - Sid: EnsureSSL
            Effect: Deny
            Principal: '*'
            Action: 's3:PutObject'
            Condition:
              Bool:
                'aws:SecureTransport': true
            Resource: !Join
              - ''
              - - 'arn:aws:s3:::'
                - !Ref S3Bucket2
                - /*
      Bucket: !Ref S3Bucket2
Outputs:
  WebsiteURL:
    Value: !GetAtt
      - S3Bucket2
      - WebsiteURL
    Description: URL for website hosted on S3
  S3BucketSecureURL:
    Value: !Join
      - ''
      - - 'https://'
        - !GetAtt
          - S3Bucket2
          - DomainName
    Description: Name of S3 bucket to hold website content
Postitive test num. 3 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucket3:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: S3Bucket3
      AccessControl: PublicRead
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html
    DeletionPolicy: Retain
  S3Bucket4:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: S3Bucket4
      AccessControl: PublicRead
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html
    DeletionPolicy: Retain
  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      PolicyDocument:
        Id: MyPolicy
        Version: 2012-10-17
        Statement:
          - Sid: EnsureSSL
            Effect: Allow
            Principal: '*'
            Action: 's3:*'
            Condition:
              Bool:
                'aws:SecureTransport': false
            Resource: !Join
              - ''
              - - 'arn:aws:s3:::'
                - !Ref S3Bucket3
                - /*
      Bucket: !Ref S3Bucket3
Outputs:
  WebsiteURL:
    Value: !GetAtt
      - S3Bucket3
      - WebsiteURL
    Description: URL for website hosted on S3
  S3BucketSecureURL:
    Value: !Join
      - ''
      - - 'https://'
        - !GetAtt
          - S3Bucket3
          - DomainName
    Description: Name of S3 bucket to hold website content

Postitive test num. 4 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucket5:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: S3Bucket5
      AccessControl: PublicRead
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html
    DeletionPolicy: Retain
  S3Bucket6:    
    Type: AWS::S3::Bucket
    Properties:
      BucketName: S3Bucket6
      AccessControl: PublicRead
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html
    DeletionPolicy: Retain
Outputs:
  WebsiteURL:
    Value: !GetAtt
      - S3Bucket
      - WebsiteURL
    Description: URL for website hosted on S3
  S3BucketSecureURL:
    Value: !Join
      - ''
      - - 'https://'
        - !GetAtt
          - S3Bucket
          - DomainName
    Description: Name of S3 bucket to hold website content
Postitive test num. 5 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "BucketPolicy": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "PolicyDocument": {
          "Id": "MyPolicy",
          "Version": "2012-10-17T00:00:00Z",
          "Statement": [
            {
              "Sid": "PublicReadForGetBucketObjects",
              "Effect": "Allow",
              "Principal": "*",
              "Action": "s3:GetObject",
              "Resource": [
                "",
                [
                  "arn:aws:s3:::",
                  "S3Bucket",
                  "/*"
                ]
              ]
            }
          ]
        },
        "Bucket": "S3Bucket"
      }
    },
    "S3Bucket": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketName": "S3Bucket",
        "AccessControl": "PublicRead",
        "WebsiteConfiguration": {
          "IndexDocument": "index.html",
          "ErrorDocument": "error.html"
        }
      },
      "DeletionPolicy": "Retain"
    }
  },
  "Outputs": {
    "WebsiteURL": {
      "Value": [
        "S3Bucket",
        "WebsiteURL"
      ],
      "Description": "URL for website hosted on S3"
    },
    "S3BucketSecureURL": {
      "Value": [
        "",
        [
          "https://",
          [
            "S3Bucket",
            "DomainName"
          ]
        ]
      ],
      "Description": "Name of S3 bucket to hold website content"
    }
  }
}
Postitive test num. 6 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "S3Bucket2": {
      "Properties": {
        "BucketName": "S3Bucket2",
        "AccessControl": "PublicRead",
        "WebsiteConfiguration": {
          "IndexDocument": "index.html",
          "ErrorDocument": "error.html"
        }
      },
      "DeletionPolicy": "Retain",
      "Type": "AWS::S3::Bucket"
    },
    "BucketPolicy": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "PolicyDocument": {
          "Id": "MyPolicy",
          "Version": "2012-10-17T00:00:00Z",
          "Statement": [
            {
              "Sid": "EnsureSSL",
              "Effect": "Deny",
              "Principal": "*",
              "Action": "s3:PutObject",
              "Condition": {
                "Bool": {
                  "aws:SecureTransport": true
                }
              },
              "Resource": [
                "",
                [
                  "arn:aws:s3:::",
                  "S3Bucket2",
                  "/*"
                ]
              ]
            }
          ]
        },
        "Bucket": "S3Bucket2"
      }
    }
  },
  "Outputs": {
    "WebsiteURL": {
      "Value": [
        "S3Bucket2",
        "WebsiteURL"
      ],
      "Description": "URL for website hosted on S3"
    },
    "S3BucketSecureURL": {
      "Value": [
        "",
        [
          "https://",
          [
            "S3Bucket2",
            "DomainName"
          ]
        ]
      ],
      "Description": "Name of S3 bucket to hold website content"
    }
  }
}
Postitive test num. 7 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "BucketPolicy": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "PolicyDocument": {
          "Id": "MyPolicy",
          "Version": "2012-10-17T00:00:00Z",
          "Statement": [
            {
              "Sid": "EnsureSSL",
              "Effect": "Deny",
              "Principal": "*",
              "Action": "s3:*",
              "Condition": {
                "Bool": {
                  "aws:SecureTransport": false
                }
              },
              "Resource": [
                "",
                [
                  "arn:aws:s3:::",
                  "S3Bucket3",
                  "/*"
                ]
              ]
            }
          ]
        },
        "Bucket": "S3Bucket3"
      }
    },
    "S3Bucket3": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketName": "S3Bucket3",
        "AccessControl": "PublicRead",
        "WebsiteConfiguration": {
          "IndexDocument": "index.html",
          "ErrorDocument": "error.html"
        }
      },
      "DeletionPolicy": "Retain"
    },
    "S3Bucket4": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketName": "S3Bucket4",
        "AccessControl": "PublicRead",
        "WebsiteConfiguration": {
          "IndexDocument": "index.html",
          "ErrorDocument": "error.html"
        }
      },
      "DeletionPolicy": "Retain"
    }
  },
  "Outputs": {
    "WebsiteURL": {
      "Value": [
        "S3Bucket3",
        "WebsiteURL"
      ],
      "Description": "URL for website hosted on S3"
    },
    "S3BucketSecureURL": {
      "Value": [
        "",
        [
          "https://",
          [
            "S3Bucket3",
            "DomainName"
          ]
        ]
      ],
      "Description": "Name of S3 bucket to hold website content"
    }
  }
}
Postitive test num. 8 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "S3Bucket5": {
      "Properties": {
        "AccessControl": "PublicRead",
        "WebsiteConfiguration": {
          "IndexDocument": "index.html",
          "ErrorDocument": "error.html"
        }
      },
      "DeletionPolicy": "Retain",
      "Type": "AWS::S3::Bucket"
    },
    "S3Bucket6": {
      "Properties": {
        "BucketName": "S3Bucket6",
        "AccessControl": "PublicRead",
        "WebsiteConfiguration": {
          "ErrorDocument": "error.html",
          "IndexDocument": "index.html"
        }
      },
      "DeletionPolicy": "Retain",
      "Type": "AWS::S3::Bucket"
    }
  },
  "Outputs": {
    "WebsiteURL": {
      "Value": [
        "S3Bucket",
        "WebsiteURL"
      ],
      "Description": "URL for website hosted on S3"
    },
    "S3BucketSecureURL": {
      "Value": [
        "",
        [
          "https://",
          [
            "S3Bucket",
            "DomainName"
          ]
        ]
      ],
      "Description": "Name of S3 bucket to hold website content"
    }
  }
}
Postitive test num. 9 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucket33:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: S3Bucket33,
      AccessControl: PublicRead
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html
    DeletionPolicy: Retain
  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      PolicyDocument:
        Id: MyPolicy
        Version: 2012-10-17
        Statement:
            Effect: Allow
            Principal: '*'
            Action: 's3:*'
            Condition:
              Bool:
                'aws:SecureTransport': false
            Resource: !Join
              - ''
              - - 'arn:aws:s3:::'
                - !Ref S3Bucket33
                - /*
      Bucket: !Ref S3Bucket33
Postitive test num. 10 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "BucketPolicy": {
      "Properties": {
        "Bucket": "S3Bucket33",
        "PolicyDocument": {
          "Id": "MyPolicy",
          "Statement": {
            "Action": "s3:*",
            "Condition": {
              "Bool": {
                "aws:SecureTransport": false
              }
            },
            "Effect": "Allow",
            "Principal": "*",
            "Resource": [
              "",
              {
                "playbooks": [
                  "arn:aws:s3:::",
                  "S3Bucket3",
                  "/*"
                ]
              }
            ]
          },
          "Version": "2012-10-17"
        }
      },
      "Type": "AWS::S3::BucketPolicy"
    },
    "S3Bucket33": {
      "DeletionPolicy": "Retain",
      "Properties": {
        "BucketName": "S3Bucket33",
        "AccessControl": "PublicRead",
        "WebsiteConfiguration": {
          "ErrorDocument": "error.html",
          "IndexDocument": "index.html"
        }
      },
      "Type": "AWS::S3::Bucket"
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: S3Bucket
      AccessControl: PublicRead
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html
    DeletionPolicy: Retain
  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      PolicyDocument:
        Id: MyPolicy
        Version: 2012-10-17
        Statement:
          - Sid: PublicReadForGetBucketObjects
            Effect: Allow
            Principal: '*'
            Action: 's3:GetObject'
            Resource: !Join
              - ''
              - - 'arn:aws:s3:::'
                - !Ref S3Bucket
                - /*
          - Sid: EnsureSSL
            Effect: Deny
            Principal: '*'
            Action: 's3:PutObject'
            Condition:
              Bool:
                'aws:SecureTransport': false
            Resource: !Join
              - ''
              - - 'arn:aws:s3:::'
                - !Ref S3Bucket
                - /*
      Bucket: !Ref S3Bucket
Outputs:
  WebsiteURL:
    Value: !GetAtt
      - S3Bucket
      - WebsiteURL
    Description: URL for website hosted on S3
  S3BucketSecureURL:
    Value: !Join
      - ''
      - - 'https://'
        - !GetAtt
          - S3Bucket
          - DomainName
    Description: Name of S3 bucket to hold website content
Negative test num. 2 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucket2:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: S3Bucket2
      AccessControl: PublicRead
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html
    DeletionPolicy: Retain
  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      PolicyDocument:
        Id: MyPolicy
        Version: 2012-10-17
        Statement:
          - Sid: EnsureSSL
            Effect: Deny
            Principal: '*'
            Action: 's3:*'
            Condition:
              Bool:
                'aws:SecureTransport': false
            Resource: !Join
              - ''
              - - 'arn:aws:s3:::'
                - !Ref S3Bucket2
                - /*
      Bucket: !Ref S3Bucket2
  S3Bucket3:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: PublicRead
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html
    DeletionPolicy: Retain
  BucketPolicy2:
    Type: AWS::S3::BucketPolicy
    Properties:
      PolicyDocument:
        Id: MyPolicy2
        Version: 2012-10-17
        Statement:
          - Sid: EnsureSSL
            Effect: Deny
            Principal: '*'
            Action: 's3:*'
            Condition:
              Bool:
                'aws:SecureTransport': false
            Resource: !Join
              - ''
              - - 'arn:aws:s3:::'
                - !Ref S3Bucket3
                - /*
      Bucket: !Ref S3Bucket3
Outputs:
  WebsiteURL:
    Value: !GetAtt
      - S3Bucket2
      - WebsiteURL
    Description: URL for website hosted on S3
  S3BucketSecureURL:
    Value: !Join
      - ''
      - - 'https://'
        - !GetAtt
          - S3Bucket2
          - DomainName
    Description: Name of S3 bucket to hold website content
Negative test num. 3 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "S3Bucket": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketName": "S3Bucket",
        "AccessControl": "PublicRead",
        "WebsiteConfiguration": {
          "IndexDocument": "index.html",
          "ErrorDocument": "error.html"
        }
      },
      "DeletionPolicy": "Retain"
    },
    "BucketPolicy": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "Bucket": "S3Bucket",
        "PolicyDocument": {
          "Id": "MyPolicy",
          "Version": "2012-10-17T00:00:00Z",
          "Statement": [
            {
              "Sid": "PublicReadForGetBucketObjects",
              "Effect": "Allow",
              "Principal": "*",
              "Action": "s3:GetObject",
              "Resource": [
                "",
                [
                  "arn:aws:s3:::",
                  "S3Bucket",
                  "/*"
                ]
              ]
            },
            {
              "Principal": "*",
              "Action": "s3:PutObject",
              "Condition": {
                "Bool": {
                  "aws:SecureTransport": false
                }
              },
              "Resource": [
                "",
                [
                  "arn:aws:s3:::",
                  "S3Bucket",
                  "/*"
                ]
              ],
              "Sid": "EnsureSSL",
              "Effect": "Deny"
            }
          ]
        }
      }
    }
  },
  "Outputs": {
    "WebsiteURL": {
      "Value": [
        "S3Bucket",
        "WebsiteURL"
      ],
      "Description": "URL for website hosted on S3"
    },
    "S3BucketSecureURL": {
      "Description": "Name of S3 bucket to hold website content",
      "Value": [
        "",
        [
          "https://",
          [
            "S3Bucket",
            "DomainName"
          ]
        ]
      ]
    }
  }
}

Negative test num. 4 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucket33:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: S3Bucket33
      AccessControl: PublicRead
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html
    DeletionPolicy: Retain
  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      PolicyDocument:
        Id: MyPolicy
        Version: 2012-10-17
        Statement:
            Effect: Deny
            Principal: '*'
            Action: 's3:*'
            Condition:
              Bool:
                'aws:SecureTransport': false
            Resource: !Join
              - ''
              - - 'arn:aws:s3:::'
                - !Ref S3Bucket3
                - /*
      Bucket: !Ref S3Bucket33
Negative test num. 5 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "S3Bucket2": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketName": "S3Bucket2",
        "AccessControl": "PublicRead",
        "WebsiteConfiguration": {
          "IndexDocument": "index.html",
          "ErrorDocument": "error.html"
        }
      },
      "DeletionPolicy": "Retain"
    },
    "BucketPolicy": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "Bucket": "S3Bucket2",
        "PolicyDocument": {
          "Statement": [
            {
              "Condition": {
                "Bool": {
                  "aws:SecureTransport": false
                }
              },
              "Resource": [
                "",
                [
                  "arn:aws:s3:::",
                  "S3Bucket2",
                  "/*"
                ]
              ],
              "Sid": "EnsureSSL",
              "Effect": "Deny",
              "Principal": "*",
              "Action": "s3:*"
            }
          ],
          "Id": "MyPolicy",
          "Version": "2012-10-17T00:00:00Z"
        }
      }
    },
    "S3Bucket3": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "AccessControl": "PublicRead",
        "WebsiteConfiguration": {
          "IndexDocument": "index.html",
          "ErrorDocument": "error.html"
        }
      },
      "DeletionPolicy": "Retain"
    },
    "BucketPolicy2": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "PolicyDocument": {
          "Version": "2012-10-17T00:00:00Z",
          "Statement": [
            {
              "Principal": "*",
              "Action": "s3:*",
              "Condition": {
                "Bool": {
                  "aws:SecureTransport": false
                }
              },
              "Resource": [
                "",
                [
                  "arn:aws:s3:::",
                  "S3Bucket3",
                  "/*"
                ]
              ],
              "Sid": "EnsureSSL",
              "Effect": "Deny"
            }
          ],
          "Id": "MyPolicy2"
        },
        "Bucket": "S3Bucket3"
      }
    }
  },
  "Outputs": {
    "WebsiteURL": {
      "Value": [
        "S3Bucket2",
        "WebsiteURL"
      ],
      "Description": "URL for website hosted on S3"
    },
    "S3BucketSecureURL": {
      "Value": [
        "",
        [
          "https://",
          [
            "S3Bucket2",
            "DomainName"
          ]
        ]
      ],
      "Description": "Name of S3 bucket to hold website content"
    }
  }
}
Negative test num. 6 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "BucketPolicy": {
      "Type": "AWS::S3::BucketPolicy",
      "Properties": {
        "Bucket": {
            "Ref": "S3Bucket88"
        },
        "PolicyDocument": {
          "Statement": [
            {
              "Condition": {
                "Bool": {
                  "aws:SecureTransport": false
                }
              },
              "Resource": [
                "",
                [
                  "arn:aws:s3:::",
                  "S3Bucket2",
                  "/*"
                ]
              ],
              "Sid": "EnsureSSL",
              "Effect": "Deny",
              "Principal": "*",
              "Action": "s3:*"
            }
          ],
          "Id": "MyPolicy",
          "Version": "2012-10-17T00:00:00Z"
        }
      }
    },
    "S3Bucket88": {
      "DeletionPolicy": "Retain",
      "Properties": {
        "BucketName": "S3Bucket88",
        "AccessControl": "PublicRead",
        "WebsiteConfiguration": {
          "ErrorDocument": "error.html",
          "IndexDocument": "index.html"
        }
      },
      "Type": "AWS::S3::Bucket"
    }
  }
}
Negative test num. 7 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucket88:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: S3Bucket88
      AccessControl: PublicRead
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html
    DeletionPolicy: Retain
  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      PolicyDocument:
        Id: MyPolicy
        Version: 2012-10-17T00:00:00Z
        Statement:
            Effect: Deny
            Principal: '*'
            Action: 's3:*'
            Condition:
              Bool:
                'aws:SecureTransport': false
      Bucket: !Ref S3Bucket88
Negative test num. 8 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
  S3Bucket88:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: S3Bucket88
      AccessControl: PublicRead
      WebsiteConfiguration:
        IndexDocument: index.html
        ErrorDocument: error.html
    DeletionPolicy: Retain
  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      PolicyDocument:
        Id: MyPolicy
        Version: 2012-10-17T00:00:00Z
        Statement:
            Effect: Allow
            Principal: '*'
            Action: 's3:*'
            Condition:
              Bool:
                'aws:SecureTransport': true
      Bucket: !Ref S3Bucket88