add https only S3 bucket policy

dsaidgovsg · Oct 25, 2023 · 647b420 · 647b420
1 parent 24cee14
commit 647b420
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/modules/fluentd/s3.tf b/modules/fluentd/s3.tf
@@ -65,6 +65,28 @@ data "aws_iam_policy_document" "logs_s3" {
     ]
   }
 
+  statement {
+    sid     = "AllowSSLRequestsOnly"
+    actions = ["s3:*"]
+    effect  = "Deny"
+
+    resources = [
+      aws_s3_bucket.logs[0].arn,
+      "${aws_s3_bucket.logs[0].arn}/*",
+    ]
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = [false]
+    }
+
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+  }
+
   statement {
     effect = "Allow"