Skip to content

Add policy document to deny http access to have compliant rules

The module S3 don't force policy document to deny explicitly http requests.

Example:

module "one_spc_datalake_s3_bucket" {
  source             = "git::https://git.cloud.safran/safrangrp/publiccloud/landingzone/shared-modules/terraform-aws-s3.git?ref=2.2.1"

  company             = var.company
  service_id          = var.service_id
  security            = var.security
  environment         = var.environment
  name                = "onespcdatalake"
  versioning          = true
  force_destroy       = false
  encryption_type     = "kms"
  kms_key_arn         = data.aws_kms_key.s3.arn
**  bucket_policy       = [data.aws_iam_policy_document.enforce_tls_s3_bucket_policy.json]**
}

With policy document like this:

data "aws_iam_policy_document" "enforce_tls_s3_bucket_policy" {
  statement {

    effect    = "Deny"
    principals {
      type        = "AWS"
      identifiers = ["*"]
    }
    actions   = ["*"]
    resources = ["$${self_ref}/*"]

    condition {
      test     = "Bool"
      variable = "aws:SecureTransport"
      values   = ["false"]
    }
  }

}