diff --git a/main.tf b/main.tf index 1c00ade64..bb1f79cf0 100644 --- a/main.tf +++ b/main.tf @@ -49,6 +49,7 @@ module "networking" { create_vpc = var.create_vpc enable_flow_log = var.enable_flow_log keep_flow_log_bucket = var.keep_flow_log_bucket + enable_s3_https_only = var.enable_s3_https_only cidr = var.network_cidr private_subnet_cidrs = var.network_private_subnet_cidrs diff --git a/modules/networking/main.tf b/modules/networking/main.tf index 3c57eba4a..f1ac6b3aa 100644 --- a/modules/networking/main.tf +++ b/modules/networking/main.tf @@ -62,4 +62,32 @@ resource "aws_s3_bucket" "flow_log" { count = (var.create_vpc && var.enable_flow_log) || var.keep_flow_log_bucket ? 1 : 0 bucket = "${var.namespace}-vpc-flow-logs" force_destroy = true +} + +resource "aws_s3_bucket_policy" "flow_log_https_only" { + count = var.enable_s3_https_only ? 1 : 0 + bucket = aws_s3_bucket.flow_log[0].bucket + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Sid = "DenyHTTPRequests", + Effect = "Deny", + Principal = "*", + Action = "s3:*", + Resource = [ + "arn:aws:s3:::${aws_s3_bucket.flow_log[0].bucket}", + "arn:aws:s3:::${aws_s3_bucket.flow_log[0].bucket}/*" + ], + Condition = { + Bool = { + "aws:SecureTransport" = "false" + } + } + } + ] + }) + + depends_on = [aws_s3_bucket.flow_log] } \ No newline at end of file diff --git a/modules/networking/variables.tf b/modules/networking/variables.tf index facb8ac39..ee765d8f2 100644 --- a/modules/networking/variables.tf +++ b/modules/networking/variables.tf @@ -79,4 +79,10 @@ variable "keep_flow_log_bucket" { description = "Controls whether S3 bucket storing VPC Flow Logs will be kept" type = bool default = true +} + +variable "enable_s3_https_only" { + description = "Controls whether HTTPS-only is enabled for s3 buckets" + type = bool + default = false } \ No newline at end of file