add s3 bucket policy deny for non HTTPS traffic

nhs-england-tools · Aug 2, 2023 · eb4d58e · eb4d58e
1 parent 3c2e72a
commit eb4d58e
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/modules/opennext-assets/s3.tf b/modules/opennext-assets/s3.tf
@@ -165,6 +165,22 @@ data "aws_iam_policy_document" "read_assets_bucket" {
       identifiers = [var.server_function_role_arn]
     }
   }
+  statement {
+    effect = "Deny"
+    actions = ["s3:*"]
+    resources = [aws_s3_bucket.assets.arn, "${aws_s3_bucket.assets.arn}/*"]
+
+    condition {
+      test = "Bool"
+      values = ["false"]
+      variable = "aws:SecureTransport"
+    }
+
+    principals {
+      type = "*"
+      identifiers = ["*"]
+    }
+  }
 }
 
 # Static Assets