Require SSL for export bucket; rafactor policy resource for cloudwatc…

…h and logging buckets.
cisagov · Oct 1, 2023 · a31aeae · a31aeae
1 parent 0e5cfea
commit a31aeae
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 5 deletions.
diff --git a/infrastructure/cloudwatch.tf b/infrastructure/cloudwatch.tf
@@ -29,7 +29,7 @@ resource "aws_s3_bucket_policy" "cloudwatch_bucket" {
           "Service" : "logs.amazonaws.com"
         },
         "Action" : "s3:GetBucketAcl",
-        "Resource" : "arn:aws:s3:::${var.cloudwatch_bucket_name}"
+        "Resource" : aws_s3_bucket.cloudwatch_bucket.arn
       },
       {
         "Sid" : "Allow Cloudwatch to write to bucket",
@@ -39,8 +39,8 @@ resource "aws_s3_bucket_policy" "cloudwatch_bucket" {
         },
         "Action" : "s3:PutObject",
         "Resource" : [
-          "arn:aws:s3:::${var.cloudwatch_bucket_name}",
-          "arn:aws:s3:::${var.cloudwatch_bucket_name}/*"
+          aws_s3_bucket.cloudwatch_bucket.arn,
+          "${aws_s3_bucket.cloudwatch_bucket.arn}/*"
         ],
         "Condition" : {
           "StringEquals" : {

diff --git a/infrastructure/main.tf b/infrastructure/main.tf
@@ -40,8 +40,8 @@ resource "aws_s3_bucket_policy" "logging_bucket" {
       "Sid" : "Require SSL for requests",
       "Effect" : "Deny",
       "Resource" : [
-        "arn:aws:s3:::${var.logging_bucket_name}",
-        "arn:aws:s3:::${var.logging_bucket_name}/*"
+        aws_s3_bucket.logging_bucket.arn,
+        "${aws_s3_bucket.logging_bucket.arn}/*"
       ],
       "Condition" : {
         "Bool" : {

diff --git a/infrastructure/worker.tf b/infrastructure/worker.tf
@@ -351,6 +351,30 @@ resource "aws_s3_bucket" "export_bucket" {
   }
 }
 
+resource "aws_s3_bucket_policy" "export_bucket" {
+  bucket = var.export_bucket_name
+  policy = jsonencode({
+    "Version" = "2012-10-17"
+    "Statement" = [
+      {
+        Sid = "Require SSL for Requests"
+        Effect = "Deny"
+        Principal = "*"
+        Action = "s3:*"
+        Resource = [
+          aws_s3_bucket.export_bucket.arn,
+          "${aws_s3_bucket.export_bucket.arn}/*"
+        ]
+        Condition = {
+          Bool = {
+            "aws:SecureTransport": false
+          }
+        }
+      }
+    ]
+  })
+}
+
 resource "aws_s3_bucket_acl" "export_bucket" {
   bucket = aws_s3_bucket.export_bucket.id
   acl    = "private"