Enforce secure transport for raw-hist-dev

ministryofjustice · Jan 6, 2025 · 4464382 · 4464382
1 parent 7cabd9f
commit 4464382
Showing 1 changed file with 15 additions and 1 deletion.
diff --git a/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/locals.tf b/terraform/aws/analytical-platform-data-production/data-engineering-pipelines/locals.tf
@@ -2422,12 +2422,26 @@ locals {
               Resource = "arn:aws:s3:::mojap-raw-hist-dev/hmpps/oasys/*"
               Sid      = "DenyUnEncryptedObjectUploads-mojap-raw-hist-dev-hmpps-oasys"
             },
+            {
+              Action = "s3:*"
+              Condition = {
+                Bool = {
+                  "aws:SecureTransport" = "false"
+                }
+              }
+              Principal = "*"
+              Effect    = "Deny"
+              Resource = [
+                "arn:aws:s3:::mojap-raw-hist-dev/*",
+                "arn:aws:s3:::mojap-raw-hist-dev"
+              ]
+              Sid = "DenyInsecureTransport"
+            },
           ]
           Version = "2012-10-17"
         }
       )
     }
-
     "mojap-raw-hist-preprod" = {
       grant = [{
         id         = data.aws_canonical_user_id.current.id