2267 s3 buckets should deny non ssl requests (#2281)

* Add 'Action': 's3:*' to RequireSSL permisions.
cisagov · Oct 4, 2023 · fc737a5 · fc737a5
1 parent f5fefef
commit fc737a5
Show file tree

Hide file tree

Showing 6 changed files with 13 additions and 7 deletions.
diff --git a/infrastructure/cloudtrail_bucket_policy.tpl b/infrastructure/cloudtrail_bucket_policy.tpl
@@ -29,6 +29,7 @@
     },
     {
       "Sid": "RequireSSLRequests",
+      "Action": "s3:*",
       "Effect": "Deny",
       "Principal": "*",
       "Resource": [

diff --git a/infrastructure/cloudwatch.tf b/infrastructure/cloudwatch.tf
@@ -50,6 +50,7 @@ resource "aws_s3_bucket_policy" "cloudwatch_bucket" {
       },
       {
         "Sid" : "RequireSSLRequests",
+        "Action" : "s3:*",
         "Effect" : "Deny",
         "Principal" : "*",
         "Resource" : [

diff --git a/infrastructure/database.tf b/infrastructure/database.tf
@@ -269,6 +269,7 @@ resource "aws_s3_bucket_policy" "reports_bucket" {
     "Statement" : [
       {
         "Sid" : "RequireSSLRequests",
+        "Action" : "s3:*",
         "Effect" : "Deny",
         "Principal" : "*",
         "Resource" : [
@@ -328,6 +329,7 @@ resource "aws_s3_bucket_policy" "pe_db_backups_bucket" {
     "Statement" : [
       {
         "Sid" : "RequireSSLRequests",
+        "Action" : "s3:*",
         "Effect" : "Deny",
         "Principal" : "*",
         "Resource" : [

diff --git a/infrastructure/frontend_bucket_policy.tpl b/infrastructure/frontend_bucket_policy.tpl
@@ -13,6 +13,7 @@
     },
     {
       "Sid": "RequireSSLRequests",
+      "Action": "s3:*",
       "Effect": "Deny",
       "Principal": "*",
       "Resource": [

diff --git a/infrastructure/main.tf b/infrastructure/main.tf
@@ -38,6 +38,7 @@ resource "aws_s3_bucket_policy" "logging_bucket" {
     "Version" : "2012-10-17",
     "Statement" : [{
       "Sid" : "RequireSSLRequests",
+      "Action" : "s3:*",
       "Effect" : "Deny",
       "Principal" : "*",
       "Resource" : [

diff --git a/infrastructure/worker.tf b/infrastructure/worker.tf
@@ -357,16 +357,16 @@ resource "aws_s3_bucket_policy" "export_bucket" {
     "Version" : "2012-10-17"
     "Statement" : [
       {
-        Sid : "RequireSSLRequests"
-        Effect : "Deny"
-        Principal : "*"
-        Action : "s3:*"
-        Resource : [
+        "Sid" : "RequireSSLRequests"
+        "Action" : "s3:*",
+        "Effect" : "Deny"
+        "Principal" : "*"
+        "Resource" : [
           aws_s3_bucket.export_bucket.arn,
           "${aws_s3_bucket.export_bucket.arn}/*"
         ]
-        Condition : {
-          Bool : {
+        "Condition" : {
+          "Bool" : {
             "aws:SecureTransport" : false
           }
         }