From afa352ab69c4ec85f14c39b6dd602730501d8ceb Mon Sep 17 00:00:00 2001
From: Shreyas Rao <42259948+shreyas-s-rao@users.noreply.github.com>
Date: Wed, 3 May 2023 09:06:44 +0530
Subject: [PATCH] Block public and non-HTTPS access to S3 bucket created by
 integration tests (#615)

* Block public access to S3 bucket as per standard compliance rules

* Deny non-HTTPS requests to S3 buckets created by integration tests
---
 .ci/integration_test | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.ci/integration_test b/.ci/integration_test
index af682b026..82eb77eef 100755
--- a/.ci/integration_test
+++ b/.ci/integration_test
@@ -175,7 +175,11 @@ function delete_aws_secret() {
 
 function create_s3_bucket() {
   echo "Creating S3 bucket ${TEST_ID} in region ${REGION}"
-  aws s3api create-bucket --bucket ${TEST_ID} --region ${REGION} --create-bucket-configuration LocationConstraint=${REGION}
+  aws s3api create-bucket --bucket ${TEST_ID} --region ${REGION} --create-bucket-configuration LocationConstraint=${REGION} --acl private
+  # Block public access to the S3 bucket
+  aws s3api put-public-access-block --bucket ${TEST_ID} --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
+  # Deny non-HTTPS requests to the S3 bucket
+  aws s3api put-bucket-policy --bucket ${TEST_ID} --policy "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::${TEST_ID}\",\"arn:aws:s3:::${TEST_ID}/*\"],\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"},\"NumericLessThan\":{\"s3:TlsVersion\":\"1.2\"}}}]}"
 }
 
 function delete_s3_bucket() {