From cdb73b64fc7c9d93d7349105a990cc559565eef7 Mon Sep 17 00:00:00 2001
From: ashle001 <roy.d.ashley.jr@census.gov>
Date: Mon, 22 Jun 2020 13:48:18 -0400
Subject: [PATCH] add encryption enforcement

---
 main.tf | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/main.tf b/main.tf
index 5fe6b9c..6cb18d3 100644
--- a/main.tf
+++ b/main.tf
@@ -22,6 +22,38 @@ resource "aws_s3_bucket" "this" {
     prevent_destroy = true
   }
 
+data "aws_iam_policy_document" "t26_s3" {
+  statement {
+    sid     = "DenyIncorrectEncryptionHeader"
+    effect  = "Deny"
+    actions = ["s3:PutObject"]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    resources = ["${aws_s3_bucket.t26.arn}/*"]
+    condition {
+      test     = "StringNotEquals"
+      variable = "s3:x-amz-server-side-encryption"
+      values   = ["aws:kms"]
+    }
+  }
+  statement {
+    sid     = "DenyUnEncryptedObjectUploads"
+    effect  = "Deny"
+    actions = ["s3:PutObject"]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    resources = ["${aws_s3_bucket.t26.arn}/*"]
+    condition {
+      test     = "Null"
+      variable = "s3:x-amz-server-side-encryption"
+      values     = ["true"]
+    }
+  }
+
   tags = merge(
     var.tags,
     local.enforced_tags,