No SSL between Cloudflare and S3 static site. A big security issue?
So I have a S3 static website. Domain, DNS and proxy is managed via Cloudflare. Cloudflare is set to communicate with browsers using SSL and it in fact enforces SSL for non-SSL requests. However, traffic between CF and S3 is http only, as S3 buckets don't support SSL on their own and i assume I'd have to remedy that using Cloudfront. Now, having Cloudflare AND Cloudfront both invloved is kinda dumb.
So, how bad is it, to have Cloudflare talk to S3 sites directly, without SSL?
Attackers with limited reach like lokal HotSpots or smaller ISP level will not be able to read the data. The traffic they have access to is between the client and Cloudflare and thus protected by SSL. Government-level actors though might have ways to read and maybe even modify the unprotected traffic between Cloudflare and S3. This includes actors from multiple governments.
If this is "A big security issue" or not depends on the kind of data, i.e. how sensitive these are and what is at stake if they get accessed or even modified by others. Additionally there might be explicit regulations how well these specific data need to be protected.