From ff3b0782acd6c58cd45334b439864b98cb9a6c9f Mon Sep 17 00:00:00 2001
From: dchocoboo <86618807+dchocoboo@users.noreply.github.com>
Date: Fri, 2 Sep 2022 19:44:41 +0800
Subject: [PATCH] add securetransport for compliance (#8)

https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-ssl-requests-only.html

Co-authored-by: David <david_tjokroaminoto@tech.gov.sg>
---
 main.tf | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/main.tf b/main.tf
index 13e18ba..cfdbda4 100644
--- a/main.tf
+++ b/main.tf
@@ -72,6 +72,32 @@ data "aws_iam_policy_document" "logs_access_policy_document" {
     actions   = ["s3:GetBucketAcl"]
     resources = [aws_s3_bucket.logs.arn]
   }
+
+  statement {
+    sid = "https-only"
+
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+
+    effect = "Deny"
+
+    actions = [
+      "s3:*",
+    ]
+
+    resources = [
+      "arn:aws:s3:::${aws_s3_bucket.logs.id}",
+      "arn:aws:s3:::${aws_s3_bucket.logs.id}/*",
+    ]
+
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = [false]
+    }
+  }
 }
 
 #------------------------------------------------------------------------------