Merge branch 'master' of github.e.it.census.gov:terraform-modules/aws…

…-t26-s3 into initial
terraform-modules · Jun 22, 2020 · 237be6d · 237be6d
2 parents aa0c90b + 21fa43b
commit 237be6d
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/main.tf b/main.tf
@@ -22,6 +22,38 @@ resource "aws_s3_bucket" "this" {
     prevent_destroy = true
   }
 
+data "aws_iam_policy_document" "t26_s3" {
+  statement {
+    sid     = "DenyIncorrectEncryptionHeader"
+    effect  = "Deny"
+    actions = ["s3:PutObject"]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    resources = ["${aws_s3_bucket.t26.arn}/*"]
+    condition {
+      test     = "StringNotEquals"
+      variable = "s3:x-amz-server-side-encryption"
+      values   = ["aws:kms"]
+    }
+  }
+  statement {
+    sid     = "DenyUnEncryptedObjectUploads"
+    effect  = "Deny"
+    actions = ["s3:PutObject"]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    resources = ["${aws_s3_bucket.t26.arn}/*"]
+    condition {
+      test     = "Null"
+      variable = "s3:x-amz-server-side-encryption"
+      values     = ["true"]
+    }
+  }
+
   tags = merge(
     var.tags,
     local.enforced_tags,