config: modify bucket policies to Deny HTTP requests

graylog-labs · Apr 26, 2022 · c74dbd1 · c74dbd1
1 parent 3a34dcf
commit c74dbd1
Showing 1 changed file with 36 additions and 0 deletions.
diff --git a/s3.tf b/s3.tf
@@ -47,3 +47,39 @@ resource "aws_s3_bucket_public_access_block" "bucket" {
   block_public_policy     = true
   restrict_public_buckets = true
 }
+
+# Bucket Policy
+resource "aws_s3_bucket_policy" "bucket_policy" {
+  bucket = aws_s3_bucket.bucket.id
+  policy = data.aws_iam_policy_document.bucket_policy_document.json
+}
+
+
+
+# Bucket Policy Document
+data "aws_iam_policy_document" "bucket_policy_document" {
+  depends_on = [
+    aws_s3_bucket.bucket
+  ]
+
+  # Deny Cleartext (HTTP) Communication
+
+  statement {
+    actions = ["s3:*"]
+    effect  = "Deny"
+    resources = [
+      "${aws_s3_bucket.bucket.arn}",
+      "${aws_s3_bucket.bucket.arn}/*"
+    ]
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+  }
+}
+