Enforce SSL on library controlled buckets.

lib/build-image-data.ts

@@ -40,6 +40,7 @@ export class BuildImageDataStack extends cdk.Stack {
       versioned: true,
       removalPolicy: cdk.RemovalPolicy.DESTROY,
       autoDeleteObjects: true,
+      enforceSSL: true,
     });
 
     const dataBucketDeploymentRole = new iam.Role(

test/__snapshots__/build-image-data.test.ts.snap

@@ -214,6 +214,40 @@ exports[`Build Image Data Snapshot 1`] = `
         },
         "PolicyDocument": {
           "Statement": [
+            {
+              "Action": "s3:*",
+              "Condition": {
+                "Bool": {
+                  "aws:SecureTransport": "false",
+                },
+              },
+              "Effect": "Deny",
+              "Principal": {
+                "AWS": "*",
+              },
+              "Resource": [
+                {
+                  "Fn::GetAtt": [
+                    "BuildImageDataBucketE6A8BC04",
+                    "Arn",
+                  ],
+                },
+                {
+                  "Fn::Join": [
+                    "",
+                    [
+                      {
+                        "Fn::GetAtt": [
+                          "BuildImageDataBucketE6A8BC04",
+                          "Arn",
+                        ],
+                      },
+                      "/*",
+                    ],
+                  ],
+                },
+              ],
+            },
             {
               "Action": [
                 "s3:GetBucket*",

test/build-image-data-nag.test.ts

@@ -29,10 +29,6 @@ describe('BuildImageDataStack cdk-nag AwsSolutions Pack', () => {
         id: 'AwsSolutions-IAM5',
         reason: 'TODO: Re-evaluate "*" per resources.',
       },
-      {
-        id: 'AwsSolutions-S10',
-        reason: 'TODO: Require SSL for bucket access.',
-      },
     ]);
 
     NagSuppressions.addResourceSuppressionsByPath(