Extend S3 bucket policy to ensure encryption-in-transit (#43)

* Extend S3 bucket policy to ensure encryption-in-transit Whilst the current option policy ensures server-side encryption, encryption of the transport mechanism isn't enforced. This change extends the S3 bucket policy to enforce encryption in transit, which is necessary to satisfy the s3-bucket-ssl-requests-only AWS Config Rule[1] Given the option to prevent unencrypted uploads is already present, and this change fits in the spirit of that, I've not introduced a separate flag for this behaviour. [1] https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-ssl-requests-only.html * fix rebuild-readme issue * fix rebuild-readme issue * Updated README.md * revert actions workflow Co-authored-by: Maxim Mironenko <maxim@cloudposse.com> Co-authored-by: actions-bot <58130806+actions-bot@users.noreply.github.com>
cloudposse · Apr 16, 2020 · 3ebc715 · 3ebc715
1 parent 7a0f82a
commit 3ebc715
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -258,6 +258,10 @@ We deliver 10x the value for a fraction of the cost of a full-time engineer. Our
 
 Join our [Open Source Community][slack] on Slack. It's **FREE** for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally *sweet* infrastructure.
 
+## Discourse Forums
+
+Participate in our [Discourse Forums][discourse]. Here you'll find answers to commonly asked questions. Most questions will be related to the enormous number of projects we support on our GitHub. Come here to collaborate on answers, find solutions, and get ideas about the products and services we value. It only takes a minute to get started! Just sign in with SSO using your GitHub account.
+
 ## Newsletter
 
 Sign up for [our newsletter][newsletter] that covers everything on our technology radar.  Receive updates on what we're up to on GitHub as well as awesome new projects we discover. 
@@ -373,6 +377,7 @@ Check out [our other projects][github], [follow us on twitter][twitter], [apply
   [testimonial]: https://cpco.io/leave-testimonial?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=testimonial
   [office_hours]: https://cloudposse.com/office-hours?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=office_hours
   [newsletter]: https://cpco.io/newsletter?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=newsletter
+  [discourse]: https://ask.sweetops.com/?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=discourse
   [email]: https://cpco.io/email?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=email
   [commercial_support]: https://cpco.io/commercial-support?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=commercial_support
   [we_love_open_source]: https://cpco.io/we-love-open-source?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=we_love_open_source

diff --git a/main.tf b/main.tf
@@ -95,6 +95,30 @@ data "aws_iam_policy_document" "prevent_unencrypted_uploads" {
       ]
     }
   }
+
+  statement {
+    sid = "EnforceTlsRequestsOnly"
+
+    effect = "Deny"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions = ["s3:*"]
+
+    resources = [
+      "${var.arn_format}:s3:::${local.bucket_name}",
+      "${var.arn_format}:s3:::${local.bucket_name}/*",
+    ]
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
 }
 
 resource "aws_s3_bucket" "default" {