diff --git a/infrastructure/instance/modules/api_gateway/mtls_cert.tf b/infrastructure/instance/modules/api_gateway/mtls_cert.tf
index 054517c104..0a0c6cffff 100644
--- a/infrastructure/instance/modules/api_gateway/mtls_cert.tf
+++ b/infrastructure/instance/modules/api_gateway/mtls_cert.tf
@@ -28,6 +28,66 @@ resource "aws_s3_bucket_versioning" "truststore_bucket" {
   }
 }
 
+data "aws_iam_policy_document" "cert_storage_https_only_s3_policy" {
+  statement {
+    sid    = "HTTPSOnly"
+    effect = "Deny"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions = ["s3:*"]
+
+    resources = [
+      data.aws_s3_bucket.cert_storage.arn,
+      "${data.aws_s3_bucket.cert_storage.arn}/*",
+    ]
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "truststore_https_only_s3_policy" {
+  statement {
+    sid    = "HTTPSOnly"
+    effect = "Deny"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions = ["s3:*"]
+
+    resources = [
+      aws_s3_bucket.truststore_bucket.arn,
+      "${aws_s3_bucket.truststore_bucket.arn}/*",
+    ]
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "cert_storage_https_only" {
+  bucket = data.aws_s3_bucket.cert_storage.id
+  policy = data.aws_iam_policy_document.cert_storage_https_only_s3_policy.json
+}
+
+resource "aws_s3_bucket_policy" "truststore_https_only" {
+  bucket = aws_s3_bucket.truststore_bucket.id
+  policy = data.aws_iam_policy_document.truststore_https_only_s3_policy.json
+}
+
 resource "aws_s3_object_copy" "copy_cert_from_storage" {
   bucket = aws_s3_bucket.truststore_bucket.bucket
   key    = local.truststore_file_name
diff --git a/infrastructure/instance/modules/splunk/backup.tf b/infrastructure/instance/modules/splunk/backup.tf
index 77450ce335..514c656c62 100644
--- a/infrastructure/instance/modules/splunk/backup.tf
+++ b/infrastructure/instance/modules/splunk/backup.tf
@@ -3,3 +3,33 @@ resource "aws_s3_bucket" "failed_logs_backup" {
   // To facilitate deletion of non empty busckets
   force_destroy = var.force_destroy
 }
+
+data "aws_iam_policy_document" "failed_logs_backup_https_only" {
+  statement {
+    sid    = "HTTPSOnly"
+    effect = "Deny"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions = ["s3:*"]
+
+    resources = [
+      aws_s3_bucket.failed_logs_backup.arn,
+      "${aws_s3_bucket.failed_logs_backup.arn}/*",
+    ]
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "failed_logs_backup_https_only" {
+  bucket = aws_s3_bucket.failed_logs_backup.id
+  policy = data.aws_iam_policy_document.failed_logs_backup_https_only.json
+}