Add HTTPS enforcement to CUR bucket policy (#64)

UKHomeOffice · Apr 16, 2024 · 36f6714 · 36f6714
1 parent 5ca97a9
commit 36f6714
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/modules/aws/cost_usage_reports/main.tf b/modules/aws/cost_usage_reports/main.tf
@@ -162,6 +162,20 @@ resource "aws_s3_bucket_policy" "cur_S3_bucket_policy" {
             "aws:SourceArn" : "arn:aws:cur:us-east-1:${var.billing_account}:definition/*"
           }
         }
+      },
+      {
+        "Effect" : "Deny",
+        "Principal" : "*",
+        "Action" : "s3:*",
+        "Resource" : [
+          "arn:aws:s3:::cid-${var.billing_account}-central-finops-local",
+          "arn:aws:s3:::cid-${var.billing_account}-central-finops-local/*",
+        ],
+        "Condition" : {
+          "Bool" : {
+            "aws:SecureTransport" = "false"
+          }
+        }
       }
     ]
   })