diff --git a/modules/cloudfront-logs/kms.tf b/modules/cloudfront-logs/kms.tf
index d4e1534..25c59b0 100644
--- a/modules/cloudfront-logs/kms.tf
+++ b/modules/cloudfront-logs/kms.tf
@@ -4,6 +4,7 @@ resource "aws_kms_key" "cloudwatch_logs_key" {
   description             = "KMS Key for ${var.log_group_name} log group"
   deletion_window_in_days = 10
   policy                  = data.aws_iam_policy_document.cloudwatch_logs_key_policy[0].json
+  enable_key_rotation = true
 }
 
 data "aws_iam_policy_document" "cloudwatch_logs_key_policy" {
diff --git a/modules/opennext-assets/s3.tf b/modules/opennext-assets/s3.tf
index e9cf56f..7c0668d 100644
--- a/modules/opennext-assets/s3.tf
+++ b/modules/opennext-assets/s3.tf
@@ -165,6 +165,22 @@ data "aws_iam_policy_document" "read_assets_bucket" {
       identifiers = [var.server_function_role_arn]
     }
   }
+  statement {
+    effect = "Deny"
+    actions = ["s3:*"]
+    resources = [aws_s3_bucket.assets.arn, "${aws_s3_bucket.assets.arn}/*"]
+
+    condition {
+      test = "Bool"
+      values = ["false"]
+      variable = "aws:SecureTransport"
+    }
+
+    principals {
+      type = "*"
+      identifiers = ["*"]
+    }
+  }
 }
 
 # Static Assets
diff --git a/modules/opennext-revalidation-queue/kms.tf b/modules/opennext-revalidation-queue/kms.tf
index fc566ad..8d6e247 100644
--- a/modules/opennext-revalidation-queue/kms.tf
+++ b/modules/opennext-revalidation-queue/kms.tf
@@ -10,6 +10,7 @@ resource "aws_kms_key" "revalidation_queue_key" {
   deletion_window_in_days = 10
 
   policy = data.aws_iam_policy_document.revalidation_queue_key_policy[0].json
+  enable_key_rotation = true
 }
 
 data "aws_iam_policy_document" "revalidation_queue_key_policy" {