FIX CCMG-1729: Deny insecure connection to S3 bucket (#29)

kristian-lesko · web-flow · commit dc84419f9e76 · 2024-04-11T12:02:49.000+02:00
diff --git a/modules/vertice-governance-role/iam_policies.tf b/modules/vertice-governance-role/iam_policies.tf
@@ -31,6 +31,33 @@ data "aws_iam_policy_document" "vertice_cur_bucket_access" {
     ]
   }
 
+  statement {
+    sid    = "AllowSSLRequestsOnly"
+    effect = "Deny"
+
+    actions = [
+      "s3:*",
+    ]
+
+    resources = [
+      "arn:aws:s3:::${var.cur_bucket_name}",
+      "arn:aws:s3:::${var.cur_bucket_name}/*"
+    ]
+
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values = [
+        "false"
+      ]
+    }
+  }
+
   lifecycle {
     precondition {
       condition     = var.cur_bucket_name != null
