fix: Added block http traffic policy for s3

clouddrove · Jul 28, 2023 · 23a2982 · 23a2982
1 parent ed49ea7
commit 23a2982
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 0 deletions.
diff --git a/main.tf b/main.tf
@@ -256,6 +256,34 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
     }
   }
 }
+
+resource "aws_s3_bucket_policy" "block-http" {
+  count  = var.block_http_traffic ? 1 : 0
+  bucket = aws_s3_bucket.mybucket[0].id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Id      = "Blockhttp"
+    Statement = [
+      {
+        "Sid" : "AllowSSLRequestsOnly",
+        "Effect" : "Deny",
+        "Principal" : "*",
+        "Action" : "s3:*",
+        "Resource" : [
+          "${aws_s3_bucket.mybucket[0].arn}",
+          "${aws_s3_bucket.mybucket[0].arn}/*",
+        ],
+        "Condition" : {
+          "Bool" : {
+            "aws:SecureTransport" : "false"
+          }
+        }
+      },
+    ]
+  })
+}
+
 ##-----------------------------------------------------------------------------
 ## Below resources will create cloudwatch log group and its components. This cloudwatch log group will be used to store vpc flow logs if "flow_log_destination_type" variable is set to "cloud-watch-logs".
 ##-----------------------------------------------------------------------------

diff --git a/variables.tf b/variables.tf
@@ -348,4 +348,10 @@ variable "enable_key_rotation" {
   type        = bool
   default     = true
   description = "Specifies whether key rotation is enabled. Defaults to true(security best practice)"
+}
+
+variable "block_http_traffic" {
+  type        = bool
+  default     = true
+  description = "True when http traffic has to be blocked for S3."
 }