Deny non-HTTPS requests to the S3 bucket

gardener · Apr 21, 2023 · 18ec623 · 18ec623
1 parent db16c16
commit 18ec623
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/.ci/integration_test b/.ci/integration_test
@@ -176,7 +176,10 @@ function delete_aws_secret() {
 function create_s3_bucket() {
   echo "Creating S3 bucket ${TEST_ID} in region ${REGION}"
   aws s3api create-bucket --bucket ${TEST_ID} --region ${REGION} --create-bucket-configuration LocationConstraint=${REGION} --acl private
+  # Block public access to the S3 bucket
   aws s3api put-public-access-block --bucket ${TEST_ID} --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
+  # Deny non-HTTPS requests to the S3 bucket
+  aws s3api put-bucket-policy --bucket ${TEST_ID} --policy "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::${TEST_ID}\",\"arn:aws:s3:::${TEST_ID}/*\"],\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"},\"NumericLessThan\":{\"s3:TlsVersion\":\"1.2\"}}}]}"
 }
 
 function delete_s3_bucket() {