Revise bucket policy to enforce tls v1.2 or higher connections

Bumping from just enforcing connections over HTTPS to ensuring the connection is using at least TLS v1.2 (and therefore inherently using https). This aligns with comments raised in various IT health checks.
ministryofjustice · Aug 15, 2024 · e810ef3 · e810ef3
1 parent f95c656
commit e810ef3
Showing 1 changed file with 4 additions and 5 deletions.
diff --git a/main.tf b/main.tf
@@ -199,22 +199,21 @@ data "aws_iam_policy_document" "default" {
   override_policy_documents = concat(var.bucket_policy, [data.aws_iam_policy_document.bucket_policy_v2.json])
 
   statement {
+    sid = "EnforceTLSv12orHigher"
     effect  = "Deny"
     actions = ["s3:*"]
     resources = [
       aws_s3_bucket.default.arn,
       "${aws_s3_bucket.default.arn}/*"
     ]
-
     principals {
       identifiers = ["*"]
       type        = "AWS"
     }
-
     condition {
-      test     = "Bool"
-      variable = "aws:SecureTransport"
-      values   = ["false"]
+      test     = "NumericLessThan"
+      variable = "s3:TlsVersion"
+      values   = [1.2]
     }
   }
 }