Require SSL for logging bucket.

cisagov · Sep 30, 2023 · a15875f · a15875f
1 parent 083ee66
commit a15875f
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/infrastructure/cloudwatch.tf b/infrastructure/cloudwatch.tf
@@ -59,7 +59,7 @@ resource "aws_s3_bucket_policy" "cloudwatch_bucket" {
           "Bool" : {
             "aws:SecureTransport" : "false"
           }
-        },
+        }
       }
     ]
   })

diff --git a/infrastructure/main.tf b/infrastructure/main.tf
@@ -32,6 +32,23 @@ resource "aws_s3_bucket" "logging_bucket" {
   }
 }
 
+resource "aws_s3_bucket_policy" "logging_bucket" {
+  bucket = aws_s3_bucket.logging_bucket.id
+  policy = jsonencode({
+    "Sid" : "Require SSL for requests",
+    "Effect" : "Deny",
+    "Resource" : [
+      "arn:aws:s3:::${var.logging_bucket_name}",
+      "arn:aws:s3:::${var.logging_bucket_name}/*"
+    ],
+    "Condition" : {
+      "Bool" : {
+        "aws:SecureTransport" : "false"
+      }
+    }
+  })
+}
+
 resource "aws_s3_bucket_acl" "logging_bucket" {
   bucket = aws_s3_bucket.logging_bucket.id
   acl    = "private"
-Original file line number
+Diff line change
@@ Expand Up / @@ -59,7 +59,7 @@ resource "aws_s3_bucket_policy" "cloudwatch_bucket" { @@
               "Bool" : {
                 "aws:SecureTransport" : "false"
               }
-            },
+            }
           }
         ]
       })
@@ Expand Down @@