bugfix - deny all insecure traffic to all s3 (#182)

* bugfix - deny all insecure traffic to all s3

* sefsev

Author: eddalmond1

Makefile

@@ -1,5 +1,5 @@
 # This file is for you! Edit it to implement your own hooks (make targets) into
-# the project as automated steps to be executed on locally and in the CD pipeline.
+# the project as automated steps to be executed on locally and in the CD pipeline
 # ==============================================================================
 include scripts/init.mk
 

infrastructure/modules/s3/s3.tf

@@ -14,6 +14,39 @@ resource "aws_s3_bucket_versioning" "storage_bucket_versioning_config" {
   }
 }
 
+# ensure only secure transport is allowed
+
+resource "aws_s3_bucket_policy" "tfstate_bucket" {
+  bucket = aws_s3_bucket.storage_bucket.id
+  policy = data.aws_iam_policy_document.storage_s3_bucket_policy.json
+}
+
+data "aws_iam_policy_document" "storage_s3_bucket_policy" {
+  statement {
+    sid = "AllowSslRequestsOnly"
+    actions = [
+      "s3:*",
+    ]
+    effect = "Deny"
+    resources = [
+      aws_s3_bucket.storage_bucket.arn,
+      "${aws_s3_bucket.storage_bucket.arn}/*",
+    ]
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+    condition {
+      test = "Bool"
+      values = [
+        "false",
+      ]
+
+      variable = "aws:SecureTransport"
+    }
+  }
+}
+
 # Block public access to the bucket
 resource "aws_s3_bucket_public_access_block" "storage_bucket_block_public_access" {
   bucket = aws_s3_bucket.storage_bucket.id
@@ -77,6 +110,36 @@ resource "aws_s3_bucket_logging" "storage_bucket_logging_config" {
   target_prefix = "bucket_logs/"
 }
 
+resource "aws_s3_bucket_policy" "storage_bucket_access_logs" {
+  bucket = aws_s3_bucket.storage_bucket_access_logs.id
+  policy = data.aws_iam_policy_document.access_logs_s3_bucket_policy.json
+}
+data "aws_iam_policy_document" "access_logs_s3_bucket_policy" {
+  statement {
+    sid = "AllowSslRequestsOnly"
+    actions = [
+      "s3:*",
+    ]
+    effect = "Deny"
+    resources = [
+      aws_s3_bucket.storage_bucket_access_logs.arn,
+      "${aws_s3_bucket.storage_bucket_access_logs.arn}/*",
+    ]
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+    condition {
+      test = "Bool"
+      values = [
+        "false",
+      ]
+
+      variable = "aws:SecureTransport"
+    }
+  }
+}
+
 resource "aws_s3_bucket_server_side_encryption_configuration" "storage_bucket_access_logs_server_side_encryption_config" {
   bucket = aws_s3_bucket.storage_bucket_access_logs.id
 

infrastructure/stacks/api-layer/iam_policies.tf

@@ -29,39 +29,6 @@ resource "aws_iam_role_policy" "external_dynamodb_write_policy" {
   policy = data.aws_iam_policy_document.dynamodb_write_policy_doc.json
 }
 
-
-# Deny all S3 actions on the access logs bucket unless requests use secure (SSL) transport.
-data "aws_iam_policy_document" "storage_bucket_access_logs_policy" {
-  statement {
-    sid = "AllowSSLRequestsOnly"
-    actions = [
-      "s3:*",
-    ]
-    effect = "Deny"
-    resources = [
-      module.s3_rules_bucket.storage_bucket_access_logs_arn,
-      "${module.s3_rules_bucket.storage_bucket_access_logs_arn}/*",
-    ]
-    principals {
-      type        = "*"
-      identifiers = ["*"]
-    }
-    condition {
-      test = "Bool"
-      values = [
-        "false",
-      ]
-
-      variable = "aws:SecureTransport"
-    }
-  }
-}
-
-resource "aws_s3_bucket_policy" "storage_bucket_access_logs_policy" {
-  bucket = module.s3_rules_bucket.storage_bucket_access_logs_id
-  policy = data.aws_iam_policy_document.storage_bucket_access_logs_policy.json
-}
-
 # Policy doc for S3 Rules bucket
 data "aws_iam_policy_document" "s3_rules_bucket_policy" {
   statement {
@@ -82,7 +49,6 @@ data "aws_iam_policy_document" "s3_rules_bucket_policy" {
   }
 }
 
-
 # Attach s3 read policy to Lambda role
 resource "aws_iam_role_policy" "lambda_s3_read_policy" {
   name   = "S3ReadAccess"