Policy to enforce server-side-encryption

Question

Policy to enforce server-side-encryption

gw0 opened this issue a year ago · comments

I stumbled upon the following AWS Policy that supposedly prevents unencrypted uploads... Maybe it would make sense to add it to existing policies?

data "aws_iam_policy_document" "prevent_unencrypted_uploads" {
  statement {
    sid = "DenyIncorrectEncryptionHeader"
    effect = "Deny"
    principals {
      identifiers = ["*"]
      type        = "AWS"
    }
    actions = [
      "s3:PutObject"
    ]
    resources = [
      "${var.arn_format}:s3:::${local.bucket_name}/*",
    ]
    condition {
      test     = "StringNotEquals"
      variable = "s3:x-amz-server-side-encryption"
      values = [
        "AES256",
        "aws:kms"
      ]
    }
  }

  statement {
    sid = "DenyUnEncryptedObjectUploads"
    effect = "Deny"
    principals {
      identifiers = ["*"]
      type        = "AWS"
    }
    actions = [
      "s3:PutObject"
    ]
    resources = [
      "${var.arn_format}:s3:::${local.bucket_name}/*",
    ]
    condition {
      test     = "Null"
      variable = "s3:x-amz-server-side-encryption"
      values = [
        "true"
      ]
    }
  }

  statement {
    sid = "EnforceTlsRequestsOnly"
    effect = "Deny"
    principals {
      type        = "AWS"
      identifiers = ["*"]
    }
    actions = ["s3:*"]
    resources = [
      "${var.arn_format}:s3:::${local.bucket_name}",
      "${var.arn_format}:s3:::${local.bucket_name}/*",
    ]
    condition {
      test     = "Bool"
      variable = "aws:SecureTransport"
      values   = ["false"]
    }
  }
}

Anton Babenko · Answer 1 · Thu May 25 2023 20:38:36 GMT+0800 (China Standard Time)

This sounds like a good addition to the module. Will you be able to open a PR?

gw0 · Answer 2 · Fri May 26 2023 00:53:16 GMT+0800 (China Standard Time)

This sounds like a good addition to the module. Will you be able to open a PR?

Waiting for me would take quite some time, I just posted a suggestion...