Policy to enforce server-side-encryption
gw0 opened this issue · comments
gw0 commented
I stumbled upon the following AWS Policy that supposedly prevents unencrypted uploads... Maybe it would make sense to add it to existing policies?
data "aws_iam_policy_document" "prevent_unencrypted_uploads" {
statement {
sid = "DenyIncorrectEncryptionHeader"
effect = "Deny"
principals {
identifiers = ["*"]
type = "AWS"
}
actions = [
"s3:PutObject"
]
resources = [
"${var.arn_format}:s3:::${local.bucket_name}/*",
]
condition {
test = "StringNotEquals"
variable = "s3:x-amz-server-side-encryption"
values = [
"AES256",
"aws:kms"
]
}
}
statement {
sid = "DenyUnEncryptedObjectUploads"
effect = "Deny"
principals {
identifiers = ["*"]
type = "AWS"
}
actions = [
"s3:PutObject"
]
resources = [
"${var.arn_format}:s3:::${local.bucket_name}/*",
]
condition {
test = "Null"
variable = "s3:x-amz-server-side-encryption"
values = [
"true"
]
}
}
statement {
sid = "EnforceTlsRequestsOnly"
effect = "Deny"
principals {
type = "AWS"
identifiers = ["*"]
}
actions = ["s3:*"]
resources = [
"${var.arn_format}:s3:::${local.bucket_name}",
"${var.arn_format}:s3:::${local.bucket_name}/*",
]
condition {
test = "Bool"
variable = "aws:SecureTransport"
values = ["false"]
}
}
}
Anton Babenko commented
This sounds like a good addition to the module. Will you be able to open a PR?
gw0 commented
This sounds like a good addition to the module. Will you be able to open a PR?
Waiting for me would take quite some time, I just posted a suggestion...