From 61bc94d5641581e62bfe7cc78ce1f5ab69168470 Mon Sep 17 00:00:00 2001
From: ashle001 <roy.d.ashley.jr@census.gov>
Date: Thu, 24 Sep 2020 09:31:23 -0400
Subject: [PATCH] add ssl enforcement policy

---
 main.tf | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/main.tf b/main.tf
index b0aa5fb..7ed8c87 100644
--- a/main.tf
+++ b/main.tf
@@ -97,6 +97,18 @@ data "aws_iam_policy_document" "this" {
       values   = ["true"]
     }
   }
+  statement  { 
+    sid         = "enforceSSL"
+    effe        = "Deny"
+    principals  =  "*",
+    actions     = "s3:*",
+    resources   = [aws_s3_bucket.this.arn, "${aws_s3_bucket.this.arn}/*"]
+    condition {
+         test     = "Bool"
+         variable = "aws:SecureTransport"
+         values   = ["false"]
+    }
+  }
 }
 
 #---