From 3ebc715ae0cae012ed6930975e351676ba7559eb Mon Sep 17 00:00:00 2001 From: Barrie Bremner Date: Thu, 16 Apr 2020 19:28:48 +0100 Subject: [PATCH] Extend S3 bucket policy to ensure encryption-in-transit (#43) * Extend S3 bucket policy to ensure encryption-in-transit Whilst the current option policy ensures server-side encryption, encryption of the transport mechanism isn't enforced. This change extends the S3 bucket policy to enforce encryption in transit, which is necessary to satisfy the s3-bucket-ssl-requests-only AWS Config Rule[1] Given the option to prevent unencrypted uploads is already present, and this change fits in the spirit of that, I've not introduced a separate flag for this behaviour. [1] https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-ssl-requests-only.html * fix rebuild-readme issue * fix rebuild-readme issue * Updated README.md * revert actions workflow Co-authored-by: Maxim Mironenko Co-authored-by: actions-bot <58130806+actions-bot@users.noreply.github.com> --- README.md | 5 +++++ main.tf | 24 ++++++++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/README.md b/README.md index 5ff43e9..4363701 100644 --- a/README.md +++ b/README.md @@ -258,6 +258,10 @@ We deliver 10x the value for a fraction of the cost of a full-time engineer. Our Join our [Open Source Community][slack] on Slack. It's **FREE** for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally *sweet* infrastructure. +## Discourse Forums + +Participate in our [Discourse Forums][discourse]. Here you'll find answers to commonly asked questions. Most questions will be related to the enormous number of projects we support on our GitHub. Come here to collaborate on answers, find solutions, and get ideas about the products and services we value. It only takes a minute to get started! Just sign in with SSO using your GitHub account. + ## Newsletter Sign up for [our newsletter][newsletter] that covers everything on our technology radar. Receive updates on what we're up to on GitHub as well as awesome new projects we discover. @@ -373,6 +377,7 @@ Check out [our other projects][github], [follow us on twitter][twitter], [apply [testimonial]: https://cpco.io/leave-testimonial?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=testimonial [office_hours]: https://cloudposse.com/office-hours?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=office_hours [newsletter]: https://cpco.io/newsletter?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=newsletter + [discourse]: https://ask.sweetops.com/?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=discourse [email]: https://cpco.io/email?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=email [commercial_support]: https://cpco.io/commercial-support?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=commercial_support [we_love_open_source]: https://cpco.io/we-love-open-source?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-tfstate-backend&utm_content=we_love_open_source diff --git a/main.tf b/main.tf index d0b80f5..2b1721c 100644 --- a/main.tf +++ b/main.tf @@ -95,6 +95,30 @@ data "aws_iam_policy_document" "prevent_unencrypted_uploads" { ] } } + + statement { + sid = "EnforceTlsRequestsOnly" + + effect = "Deny" + + principals { + type = "AWS" + identifiers = ["*"] + } + + actions = ["s3:*"] + + resources = [ + "${var.arn_format}:s3:::${local.bucket_name}", + "${var.arn_format}:s3:::${local.bucket_name}/*", + ] + + condition { + test = "Bool" + variable = "aws:SecureTransport" + values = ["false"] + } + } } resource "aws_s3_bucket" "default" {