AWS – "S3 Secure Transport Enabled" False Failures

[chrisoverzero]

In the test for "S3 Secure Transport Enabled", Aqua scans to ensure that a condition:

Bool:
  aws:SecureTransport: <true|false> # based on whether the Effect is Allow or Deny

…is attached to each statement within an S3 Bucket Policy. This is not the only way to achieve this goal. An explicit Deny statement can also be applied:

Action: s3:*
Effect: Deny
Principal: '*'
Resource:
- !GetAtt Bucket.Arn
- !Sub ${Bucket.Arn}/*
Condition:
  Bool:
    aws:SecureTransport: false

This configuration has been checked in the IAM Policy Simulator and comports with advice from AWS Premium Support. The scan should check for a Deny statement of this kind and, if present, emit a PASS for that bucket without checking each statement of the policy. (If it's not present, do the other thing, natch.)

[ralish]

Seconding @chrisoverzero's report. It'd be great to get this fixed as right now the best practice advice from AWS Premium Support results in this check failing on buckets with more than a single policy statement, where one statement is the explicit deny of access to the bucket over an insecure transport, and one or more of the other statements don't redundantly specify the expected behaviour for access over an insecure transport.