force tls on the bucket

osodevops · May 31, 2023 · c309e8a · c309e8a
1 parent c9a827a
commit c309e8a
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/aws_s3_origin_bucket_policy.tf b/aws_s3_origin_bucket_policy.tf
@@ -34,4 +34,25 @@ data "aws_iam_policy_document" "cloudfront" {
       ]
     }
   }
+
+  statement {
+    sid = "AllowSSLRequestsOnly"
+    effect = "Deny"
+    actions = [
+      "s3:*",
+    ]
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+    resources = [
+      data.aws_s3_bucket.origin_bucket.arn,
+      "${data.aws_s3_bucket.origin_bucket.arn}/*"
+    ]
+  }
 }