From a47de132da60cfe9bc9433200b4fc046a7ba3fe6 Mon Sep 17 00:00:00 2001
From: Thomas-Boyle <thomasboyle@kainos.com>
Date: Tue, 24 Mar 2026 14:11:51 +0000
Subject: [PATCH 1/2] Add HTTPS-only policies for S3 buckets in API Gateway and
 Splunk modules

- Introduced HTTPS-only IAM policy documents for S3 buckets used in API Gateway and Splunk to enhance security.
- Updated the S3 bucket policies to enforce HTTPS connections, preventing non-secure access to the stored certificates and logs.
---
 .../instance/modules/api_gateway/mtls_cert.tf | 66 +++++++++++++++++++
 .../instance/modules/splunk/backup.tf         | 30 +++++++++
 2 files changed, 96 insertions(+)

diff --git a/infrastructure/instance/modules/api_gateway/mtls_cert.tf b/infrastructure/instance/modules/api_gateway/mtls_cert.tf
index 054517c104..e02d07e5d1 100644
--- a/infrastructure/instance/modules/api_gateway/mtls_cert.tf
+++ b/infrastructure/instance/modules/api_gateway/mtls_cert.tf
@@ -28,6 +28,72 @@ resource "aws_s3_bucket_versioning" "truststore_bucket" {
   }
 }
 
+data "aws_s3_bucket_policy" "cert_storage" {
+  bucket = data.aws_s3_bucket.cert_storage.bucket
+}
+
+data "aws_iam_policy_document" "cert_storage_https_only_s3_policy" {
+  source_policy_documents = [data.aws_s3_bucket_policy.cert_storage.policy]
+
+  statement {
+    sid    = "EnforceHttpsOnly"
+    effect = "Deny"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions = ["s3:*"]
+
+    resources = [
+      data.aws_s3_bucket.cert_storage.arn,
+      "${data.aws_s3_bucket.cert_storage.arn}/*",
+    ]
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "truststore_https_only_s3_policy" {
+  statement {
+    sid    = "EnforceHttpsOnly"
+    effect = "Deny"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions = ["s3:*"]
+
+    resources = [
+      aws_s3_bucket.truststore_bucket.arn,
+      "${aws_s3_bucket.truststore_bucket.arn}/*",
+    ]
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "cert_storage_https_only" {
+  bucket = data.aws_s3_bucket.cert_storage.id
+  policy = data.aws_iam_policy_document.cert_storage_https_only_s3_policy.json
+}
+
+resource "aws_s3_bucket_policy" "truststore_https_only" {
+  bucket = aws_s3_bucket.truststore_bucket.id
+  policy = data.aws_iam_policy_document.truststore_https_only_s3_policy.json
+}
+
 resource "aws_s3_object_copy" "copy_cert_from_storage" {
   bucket = aws_s3_bucket.truststore_bucket.bucket
   key    = local.truststore_file_name
diff --git a/infrastructure/instance/modules/splunk/backup.tf b/infrastructure/instance/modules/splunk/backup.tf
index 77450ce335..514c656c62 100644
--- a/infrastructure/instance/modules/splunk/backup.tf
+++ b/infrastructure/instance/modules/splunk/backup.tf
@@ -3,3 +3,33 @@ resource "aws_s3_bucket" "failed_logs_backup" {
   // To facilitate deletion of non empty busckets
   force_destroy = var.force_destroy
 }
+
+data "aws_iam_policy_document" "failed_logs_backup_https_only" {
+  statement {
+    sid    = "HTTPSOnly"
+    effect = "Deny"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+
+    actions = ["s3:*"]
+
+    resources = [
+      aws_s3_bucket.failed_logs_backup.arn,
+      "${aws_s3_bucket.failed_logs_backup.arn}/*",
+    ]
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
+}
+
+resource "aws_s3_bucket_policy" "failed_logs_backup_https_only" {
+  bucket = aws_s3_bucket.failed_logs_backup.id
+  policy = data.aws_iam_policy_document.failed_logs_backup_https_only.json
+}

From fdd4e97bb8573c0e20e1132af3e3fb78f863eea5 Mon Sep 17 00:00:00 2001
From: Thomas-Boyle <thomasboyle@kainos.com>
Date: Tue, 24 Mar 2026 15:04:54 +0000
Subject: [PATCH 2/2] Refactor S3 bucket policy documents to standardize
 HTTPS-only enforcement

- Removed unnecessary S3 bucket policy data source.
- Updated policy statement IDs to "HTTPSOnly" for consistency across IAM policy documents related to S3 buckets in API Gateway.
---
 .../instance/modules/api_gateway/mtls_cert.tf          | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/infrastructure/instance/modules/api_gateway/mtls_cert.tf b/infrastructure/instance/modules/api_gateway/mtls_cert.tf
index e02d07e5d1..0a0c6cffff 100644
--- a/infrastructure/instance/modules/api_gateway/mtls_cert.tf
+++ b/infrastructure/instance/modules/api_gateway/mtls_cert.tf
@@ -28,15 +28,9 @@ resource "aws_s3_bucket_versioning" "truststore_bucket" {
   }
 }
 
-data "aws_s3_bucket_policy" "cert_storage" {
-  bucket = data.aws_s3_bucket.cert_storage.bucket
-}
-
 data "aws_iam_policy_document" "cert_storage_https_only_s3_policy" {
-  source_policy_documents = [data.aws_s3_bucket_policy.cert_storage.policy]
-
   statement {
-    sid    = "EnforceHttpsOnly"
+    sid    = "HTTPSOnly"
     effect = "Deny"
 
     principals {
@@ -61,7 +55,7 @@ data "aws_iam_policy_document" "cert_storage_https_only_s3_policy" {
 
 data "aws_iam_policy_document" "truststore_https_only_s3_policy" {
   statement {
-    sid    = "EnforceHttpsOnly"
+    sid    = "HTTPSOnly"
     effect = "Deny"
 
     principals {