Skip to content

Commit 2db94af

Browse files
naveenkoppulanaveenkoppula
authored
Add missing secureTransport for logArchive bucket (#678)
1 parent c4556d3 commit 2db94af

File tree

1 file changed

+15
-0
lines changed
  • src/deployments/cdk/src/deployments/defaults

1 file changed

+15
-0
lines changed

src/deployments/cdk/src/deployments/defaults/step-1.ts

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -275,6 +275,21 @@ function createCentralLogBucket(props: DefaultsStep1Props) {
275275
}),
276276
);
277277

278+
// Allow only https requests
279+
logBucket.addToResourcePolicy(
280+
new iam.PolicyStatement({
281+
actions: ['s3:*'],
282+
resources: [logBucket.bucketArn, logBucket.arnForObjects('*')],
283+
principals: [new iam.AnyPrincipal()],
284+
conditions: {
285+
Bool: {
286+
'aws:SecureTransport': 'false',
287+
},
288+
},
289+
effect: iam.Effect.DENY,
290+
}),
291+
);
292+
278293
new CfnLogBucketOutput(logAccountStack, 'LogBucketOutput', {
279294
bucketArn: logBucket.bucketArn,
280295
bucketName: logBucket.bucketName,

0 commit comments

Comments
 (0)