From fc737a51badc3b260fc3c7f282ffdfc9a6fc21dc Mon Sep 17 00:00:00 2001
From: Matthew <106278637+Matthew-Grayson@users.noreply.github.com>
Date: Wed, 4 Oct 2023 12:31:04 -0500
Subject: [PATCH] 2267 s3 buckets should deny non ssl requests (#2281)

* Add 'Action': 's3:*' to RequireSSL permisions.
---
 infrastructure/cloudtrail_bucket_policy.tpl |  1 +
 infrastructure/cloudwatch.tf                |  1 +
 infrastructure/database.tf                  |  2 ++
 infrastructure/frontend_bucket_policy.tpl   |  1 +
 infrastructure/main.tf                      |  1 +
 infrastructure/worker.tf                    | 14 +++++++-------
 6 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/infrastructure/cloudtrail_bucket_policy.tpl b/infrastructure/cloudtrail_bucket_policy.tpl
index 15dbc0da6..5067a5c4a 100644
--- a/infrastructure/cloudtrail_bucket_policy.tpl
+++ b/infrastructure/cloudtrail_bucket_policy.tpl
@@ -29,6 +29,7 @@
     },
     {
       "Sid": "RequireSSLRequests",
+      "Action": "s3:*",
       "Effect": "Deny",
       "Principal": "*",
       "Resource": [
diff --git a/infrastructure/cloudwatch.tf b/infrastructure/cloudwatch.tf
index 667236bbe..848f97e93 100644
--- a/infrastructure/cloudwatch.tf
+++ b/infrastructure/cloudwatch.tf
@@ -50,6 +50,7 @@ resource "aws_s3_bucket_policy" "cloudwatch_bucket" {
       },
       {
         "Sid" : "RequireSSLRequests",
+        "Action" : "s3:*",
         "Effect" : "Deny",
         "Principal" : "*",
         "Resource" : [
diff --git a/infrastructure/database.tf b/infrastructure/database.tf
index e21640eec..125fc33be 100644
--- a/infrastructure/database.tf
+++ b/infrastructure/database.tf
@@ -269,6 +269,7 @@ resource "aws_s3_bucket_policy" "reports_bucket" {
     "Statement" : [
       {
         "Sid" : "RequireSSLRequests",
+        "Action" : "s3:*",
         "Effect" : "Deny",
         "Principal" : "*",
         "Resource" : [
@@ -328,6 +329,7 @@ resource "aws_s3_bucket_policy" "pe_db_backups_bucket" {
     "Statement" : [
       {
         "Sid" : "RequireSSLRequests",
+        "Action" : "s3:*",
         "Effect" : "Deny",
         "Principal" : "*",
         "Resource" : [
diff --git a/infrastructure/frontend_bucket_policy.tpl b/infrastructure/frontend_bucket_policy.tpl
index 416f198ec..8beacee63 100644
--- a/infrastructure/frontend_bucket_policy.tpl
+++ b/infrastructure/frontend_bucket_policy.tpl
@@ -13,6 +13,7 @@
     },
     {
       "Sid": "RequireSSLRequests",
+      "Action": "s3:*",
       "Effect": "Deny",
       "Principal": "*",
       "Resource": [
diff --git a/infrastructure/main.tf b/infrastructure/main.tf
index bfccb4fcb..7cacdb573 100644
--- a/infrastructure/main.tf
+++ b/infrastructure/main.tf
@@ -38,6 +38,7 @@ resource "aws_s3_bucket_policy" "logging_bucket" {
     "Version" : "2012-10-17",
     "Statement" : [{
       "Sid" : "RequireSSLRequests",
+      "Action" : "s3:*",
       "Effect" : "Deny",
       "Principal" : "*",
       "Resource" : [
diff --git a/infrastructure/worker.tf b/infrastructure/worker.tf
index 7ed0d77e8..e30ae4722 100644
--- a/infrastructure/worker.tf
+++ b/infrastructure/worker.tf
@@ -357,16 +357,16 @@ resource "aws_s3_bucket_policy" "export_bucket" {
     "Version" : "2012-10-17"
     "Statement" : [
       {
-        Sid : "RequireSSLRequests"
-        Effect : "Deny"
-        Principal : "*"
-        Action : "s3:*"
-        Resource : [
+        "Sid" : "RequireSSLRequests"
+        "Action" : "s3:*",
+        "Effect" : "Deny"
+        "Principal" : "*"
+        "Resource" : [
           aws_s3_bucket.export_bucket.arn,
           "${aws_s3_bucket.export_bucket.arn}/*"
         ]
-        Condition : {
-          Bool : {
+        "Condition" : {
+          "Bool" : {
             "aws:SecureTransport" : false
           }
         }