Enforce secure transport policy on artifacts bucket (#389)

aws-cloudformation · Feb 7, 2020 · 5631dcb · 5631dcb
1 parent ec32a98
commit 5631dcb
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/src/rpdk/core/data/managed-upload-infrastructure.yaml b/src/rpdk/core/data/managed-upload-infrastructure.yaml
@@ -37,6 +37,16 @@ Resources:
             Resource:
               - !Sub "arn:${AWS::Partition}:s3:::${ArtifactBucket}"
               - !Sub "arn:${AWS::Partition}:s3:::${ArtifactBucket}/*"
+          - Sid: Require Secure Transport
+            Action: "s3:*"
+            Effect: Deny
+            Resource:
+              - !Sub "arn:${AWS::Partition}:s3:::${ArtifactBucket}"
+              - !Sub "arn:${AWS::Partition}:s3:::${ArtifactBucket}/*"
+            Condition:
+              Bool:
+                "aws:SecureTransport": "false"
+            Principal: "*"
 
   EncryptionKey:
     Type: AWS::KMS::Key