Merge pull request #4676 from giantswarm/s3-transit-encryption

✨ Enable transit encryption to S3 bucket
kubernetes-sigs · Dec 13, 2023 · 7be1c77 · 7be1c77
2 parents 5711479 + 26ac0d3
commit 7be1c77
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/pkg/cloud/services/s3/s3.go b/pkg/cloud/services/s3/s3.go
@@ -306,6 +306,20 @@ func (s *Service) bucketPolicy(bucketName string) (string, error) {
 			Action:   []string{"s3:GetObject"},
 			Resource: []string{fmt.Sprintf("arn:%s:s3:::%s/control-plane/*", partition, bucketName)},
 		},
+		{
+			Sid:    "ForceSSLOnlyAccess",
+			Effect: iam.EffectDeny,
+			Principal: map[iam.PrincipalType]iam.PrincipalID{
+				iam.PrincipalAWS: []string{"*"},
+			},
+			Action:   []string{"s3:*"},
+			Resource: []string{fmt.Sprintf("arn:%s:s3:::%s/*", partition, bucketName)},
+			Condition: iam.Conditions{
+				"Bool": map[string]interface{}{
+					"aws:SecureTransport": false,
+				},
+			},
+		},
 	}
 
 	for _, iamInstanceProfile := range bucket.NodesIAMInstanceProfiles {

diff --git a/pkg/cloud/services/s3/s3_test.go b/pkg/cloud/services/s3/s3_test.go
@@ -201,6 +201,10 @@ func TestReconcileBucket(t *testing.T) {
 			if !strings.Contains(policy, "arn:aws:iam::foo:role/control-plane.cluster-api-provider-aws.sigs.k8s.io") {
 				t.Errorf("Expected arn to contain the right principal; got: %v", policy)
 			}
+
+			if !strings.Contains(policy, "SecureTransport") {
+				t.Errorf("Expected deny when not using SecureTransport; got: %v", policy)
+			}
 		}).Return(nil, nil).Times(1)
 
 		if err := svc.ReconcileBucket(); err != nil {