1414
1515POLICY_NAME_FORMAT = '{bucket_name}-owner-policy'
1616
17+ REQUIRE_HTTPS_CONDITION = {
18+ "Bool" : {
19+ # Require HTTPS
20+ "aws:SecureTransport" : "true"
21+ },
22+ "NumericGreaterThanEquals" : {
23+ # Require TLS >= 1.2
24+ "s3:TlsVersion" : [
25+ "1.2"
26+ ]
27+ }
28+ }
29+
1730
1831class BucketCreator :
1932 def __init__ (self , profile_name = None , region_name = None ):
@@ -37,8 +50,7 @@ def commit(self, data):
3750 if data .get ('enable_versioning' ):
3851 self .enable_versioning (bucket )
3952
40- def get_bucket_policy_statement_for_get_object (self , bucket ,
41- public_get_object_paths ):
53+ def get_bucket_policy_statement_for_get_object (self , bucket , public_get_object_paths ):
4254 """
4355 Create policy statement to enable the public to perform s3:getObject
4456 on specified paths.
@@ -60,6 +72,8 @@ def format_path(path):
6072 "Principal" : "*" ,
6173 "Action" : ["s3:GetObject" ],
6274 "Resource" : paths_resources ,
75+ # Require HTTPS for public requests
76+ "Condition" : REQUIRE_HTTPS_CONDITION
6377 }
6478
6579 def get_bucket_policy_statements_for_user_access (self , bucket , user ):
@@ -79,7 +93,9 @@ def get_bucket_policy_statements_for_user_access(self, bucket, user):
7993 ],
8094 "Resource" : "arn:aws:s3:::{bucket_name}" .format (
8195 bucket_name = bucket .name
82- )
96+ ),
97+ # Require HTTPS for API
98+ "Condition" : REQUIRE_HTTPS_CONDITION
8399 }
84100 # Create policy statement giving the created user full access over the
85101 # objects.
@@ -92,7 +108,9 @@ def get_bucket_policy_statements_for_user_access(self, bucket, user):
92108 "Action" : "s3:*" ,
93109 "Resource" : "arn:aws:s3:::{bucket_name}/*" .format (
94110 bucket_name = bucket .name
95- )
111+ ),
112+ # Require HTTPS for API
113+ "Condition" : REQUIRE_HTTPS_CONDITION
96114 }
97115
98116 def set_bucket_policy (self , bucket , user , allow_public_acls , public_get_object_paths = None ):
0 commit comments