Skip to content

Commit 9e0b52f

Browse files
Thomas-BoyleThomas-Boyle
authored
VED-1134: S3 Bucket Policy Missing SecureTransport Statement (#1326)
* Add HTTPS-only policies for S3 buckets in API Gateway and Splunk modules - Introduced HTTPS-only IAM policy documents for S3 buckets used in API Gateway and Splunk to enhance security. - Updated the S3 bucket policies to enforce HTTPS connections, preventing non-secure access to the stored certificates and logs. * Refactor S3 bucket policy documents to standardize HTTPS-only enforcement - Removed unnecessary S3 bucket policy data source. - Updated policy statement IDs to "HTTPSOnly" for consistency across IAM policy documents related to S3 buckets in API Gateway.
1 parent b532ead commit 9e0b52f

2 files changed

Lines changed: 90 additions & 0 deletions

File tree

infrastructure/instance/modules/api_gateway/mtls_cert.tf

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,66 @@ resource "aws_s3_bucket_versioning" "truststore_bucket" {
2828
}
2929
}
3030

31+
data "aws_iam_policy_document" "cert_storage_https_only_s3_policy" {
32+
statement {
33+
sid = "HTTPSOnly"
34+
effect = "Deny"
35+
36+
principals {
37+
type = "AWS"
38+
identifiers = ["*"]
39+
}
40+
41+
actions = ["s3:*"]
42+
43+
resources = [
44+
data.aws_s3_bucket.cert_storage.arn,
45+
"${data.aws_s3_bucket.cert_storage.arn}/*",
46+
]
47+
48+
condition {
49+
test = "Bool"
50+
variable = "aws:SecureTransport"
51+
values = ["false"]
52+
}
53+
}
54+
}
55+
56+
data "aws_iam_policy_document" "truststore_https_only_s3_policy" {
57+
statement {
58+
sid = "HTTPSOnly"
59+
effect = "Deny"
60+
61+
principals {
62+
type = "AWS"
63+
identifiers = ["*"]
64+
}
65+
66+
actions = ["s3:*"]
67+
68+
resources = [
69+
aws_s3_bucket.truststore_bucket.arn,
70+
"${aws_s3_bucket.truststore_bucket.arn}/*",
71+
]
72+
73+
condition {
74+
test = "Bool"
75+
variable = "aws:SecureTransport"
76+
values = ["false"]
77+
}
78+
}
79+
}
80+
81+
resource "aws_s3_bucket_policy" "cert_storage_https_only" {
82+
bucket = data.aws_s3_bucket.cert_storage.id
83+
policy = data.aws_iam_policy_document.cert_storage_https_only_s3_policy.json
84+
}
85+
86+
resource "aws_s3_bucket_policy" "truststore_https_only" {
87+
bucket = aws_s3_bucket.truststore_bucket.id
88+
policy = data.aws_iam_policy_document.truststore_https_only_s3_policy.json
89+
}
90+
3191
resource "aws_s3_object_copy" "copy_cert_from_storage" {
3292
bucket = aws_s3_bucket.truststore_bucket.bucket
3393
key = local.truststore_file_name

infrastructure/instance/modules/splunk/backup.tf

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,3 +3,33 @@ resource "aws_s3_bucket" "failed_logs_backup" {
33
// To facilitate deletion of non empty busckets
44
force_destroy = var.force_destroy
55
}
6+
7+
data "aws_iam_policy_document" "failed_logs_backup_https_only" {
8+
statement {
9+
sid = "HTTPSOnly"
10+
effect = "Deny"
11+
12+
principals {
13+
type = "AWS"
14+
identifiers = ["*"]
15+
}
16+
17+
actions = ["s3:*"]
18+
19+
resources = [
20+
aws_s3_bucket.failed_logs_backup.arn,
21+
"${aws_s3_bucket.failed_logs_backup.arn}/*",
22+
]
23+
24+
condition {
25+
test = "Bool"
26+
variable = "aws:SecureTransport"
27+
values = ["false"]
28+
}
29+
}
30+
}
31+
32+
resource "aws_s3_bucket_policy" "failed_logs_backup_https_only" {
33+
bucket = aws_s3_bucket.failed_logs_backup.id
34+
policy = data.aws_iam_policy_document.failed_logs_backup_https_only.json
35+
}

0 commit comments

Comments
 (0)