Skip to content

VED-1134: S3 Bucket Policy Missing SecureTransport Statement #1326

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Thomas-Boyle wants to merge 9 commits into
base: master
Choose a base branch
from
Open

VED-1134: S3 Bucket Policy Missing SecureTransport Statement #1326

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
a47de13
Add HTTPS-only policies for S3 buckets in API Gateway and Splunk modules
Thomas-Boyle Mar 24, 2026
3a35957
Merge branch 'master' into 1134-Bucket-Policy-Missing-SecureTransport…
Thomas-Boyle Mar 24, 2026
fdd4e97
Refactor S3 bucket policy documents to standardize HTTPS-only enforce…
Thomas-Boyle Mar 24, 2026
594055f
Merge branch 'master' into 1134-Bucket-Policy-Missing-SecureTransport…
Thomas-Boyle Mar 25, 2026
65e2b61
Merge branch 'master' into 1134-Bucket-Policy-Missing-SecureTransport…
Thomas-Boyle Mar 25, 2026
5f2ef1b
Merge branch 'master' into 1134-Bucket-Policy-Missing-SecureTransport…
Thomas-Boyle Mar 26, 2026
4137370
Merge branch 'master' into 1134-Bucket-Policy-Missing-SecureTransport…
Thomas-Boyle Mar 26, 2026
b1b1279
Merge branch 'master' into 1134-Bucket-Policy-Missing-SecureTransport…
Thomas-Boyle Mar 26, 2026
b3efbdd
Merge branch 'master' into 1134-Bucket-Policy-Missing-SecureTransport…
Thomas-Boyle Mar 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 60 additions & 0 deletions infrastructure/instance/modules/api_gateway/mtls_cert.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,66 @@ resource "aws_s3_bucket_versioning" "truststore_bucket" {
}
}

data "aws_iam_policy_document" "cert_storage_https_only_s3_policy" {
statement {
sid = "HTTPSOnly"
effect = "Deny"

principals {
type = "AWS"
identifiers = ["*"]
}

actions = ["s3:*"]

resources = [
data.aws_s3_bucket.cert_storage.arn,
"${data.aws_s3_bucket.cert_storage.arn}/*",
]

condition {
test = "Bool"
variable = "aws:SecureTransport"
values = ["false"]
}
}
}

data "aws_iam_policy_document" "truststore_https_only_s3_policy" {
statement {
sid = "HTTPSOnly"
effect = "Deny"

principals {
type = "AWS"
identifiers = ["*"]
}

actions = ["s3:*"]

resources = [
aws_s3_bucket.truststore_bucket.arn,
"${aws_s3_bucket.truststore_bucket.arn}/*",
]

condition {
test = "Bool"
variable = "aws:SecureTransport"
values = ["false"]
}
}
}

resource "aws_s3_bucket_policy" "cert_storage_https_only" {
bucket = data.aws_s3_bucket.cert_storage.id
policy = data.aws_iam_policy_document.cert_storage_https_only_s3_policy.json
}

resource "aws_s3_bucket_policy" "truststore_https_only" {
bucket = aws_s3_bucket.truststore_bucket.id
policy = data.aws_iam_policy_document.truststore_https_only_s3_policy.json
}

resource "aws_s3_object_copy" "copy_cert_from_storage" {
bucket = aws_s3_bucket.truststore_bucket.bucket
key = local.truststore_file_name
Expand Down
30 changes: 30 additions & 0 deletions infrastructure/instance/modules/splunk/backup.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,33 @@ resource "aws_s3_bucket" "failed_logs_backup" {
// To facilitate deletion of non empty busckets
force_destroy = var.force_destroy
}

data "aws_iam_policy_document" "failed_logs_backup_https_only" {
statement {
sid = "HTTPSOnly"
effect = "Deny"

principals {
type = "AWS"
identifiers = ["*"]
}

actions = ["s3:*"]

resources = [
aws_s3_bucket.failed_logs_backup.arn,
"${aws_s3_bucket.failed_logs_backup.arn}/*",
]

condition {
test = "Bool"
variable = "aws:SecureTransport"
values = ["false"]
}
}
}

resource "aws_s3_bucket_policy" "failed_logs_backup_https_only" {
bucket = aws_s3_bucket.failed_logs_backup.id
policy = data.aws_iam_policy_document.failed_logs_backup_https_only.json
}
Loading