Skip to content

Commit

Permalink
[PRMT-4482] Added policy statement to enforce HTTPS on SNS topics.
Browse files Browse the repository at this point in the history
  • Loading branch information
martin-nhs committed Feb 15, 2024
1 parent 0d0c0e1 commit f503285
Showing 1 changed file with 62 additions and 0 deletions.
62 changes: 62 additions & 0 deletions terraform/sns-topic.tf
Original file line number Diff line number Diff line change
Expand Up @@ -98,3 +98,65 @@ data "aws_sns_topic" "alarm_notifications" {
name = "${var.environment}-alarm-notifications-sns-topic"
}

resource "aws_sns_topic_policy" "deny_http" {
for_each = toset(local.sns_arns)

arn = each.value

policy = <<EOF
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__default_statement_ID",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"SNS:GetTopicAttributes",
"SNS:SetTopicAttributes",
"SNS:AddPermission",
"SNS:RemovePermission",
"SNS:DeleteTopic",
"SNS:Subscribe",
"SNS:ListSubscriptionsByTopic",
"SNS:Publish",
"SNS:Receive"
],
"Resource": "${each.value}",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "${data.aws_caller_identity.current.account_id}"
}
}
},
{
"Sid": "DenyHTTPSubscription",
"Effect": "Deny",
"Principal": "*",
"Action": "sns:Subscribe",
"Resource": "${each.value}",
"Condition": {
"StringEquals": {
"sns:Protocol": "http"
}
}
},
{
"Sid": "DenyHTTPPublish",
"Effect": "Deny",
"Principal": "*",
"Action": "SNS:Publish",
"Resource": "${each.value}",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
EOF
}

0 comments on commit f503285

Please sign in to comment.