diff --git a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/emr-cluster.cfn.yml b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/emr-cluster.cfn.yml index abed5067ea..4f63e34393 100644 --- a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/emr-cluster.cfn.yml +++ b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/emr-cluster.cfn.yml @@ -123,6 +123,24 @@ Resources: VersioningConfiguration: Status: Enabled + LogBucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: !Ref LogBucket + PolicyDocument: + Version: '2012-10-17' + Statement: + - Sid: Deny requests that do not use TLS/HTTPS + Effect: Deny + Principal: '*' + Action: s3:* + Resource: + - !Join ['/', [!GetAtt LogBucket.Arn, '*']] + - !GetAtt LogBucket.Arn + Condition: + Bool: + aws:SecureTransport: false + MasterSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: diff --git a/main/solution/backend/config/infra/cloudformation.yml b/main/solution/backend/config/infra/cloudformation.yml index a6b6f8ee5d..a0364843d3 100644 --- a/main/solution/backend/config/infra/cloudformation.yml +++ b/main/solution/backend/config/infra/cloudformation.yml @@ -181,11 +181,13 @@ Resources: PolicyDocument: Version: '2012-10-17' Statement: - - Sid: Deny requests that do not use TLS + - Sid: Deny requests that do not use TLS/HTTPS Effect: Deny Principal: '*' Action: s3:* - Resource: !Join ['/', [!GetAtt ExternalCfnTemplatesBucket.Arn, '*']] + Resource: + - !Join ['/', [!GetAtt ExternalCfnTemplatesBucket.Arn, '*']] + - !GetAtt ExternalCfnTemplatesBucket.Arn Condition: Bool: aws:SecureTransport: false @@ -269,11 +271,13 @@ Resources: Version: '2012-10-17' Id: PutObjectPolicy Statement: - - Sid: Deny requests that do not use TLS + - Sid: Deny requests that do not use TLS/HTTPS Effect: Deny Principal: '*' Action: s3:* - Resource: !Join ['/', [!GetAtt EnvTypeConfigsBucket.Arn, '*']] + Resource: + - !Join ['/', [!GetAtt EnvTypeConfigsBucket.Arn, '*']] + - !GetAtt EnvTypeConfigsBucket.Arn Condition: Bool: aws:SecureTransport: false @@ -420,11 +424,13 @@ Resources: Version: '2012-10-17' Id: PutObjectPolicy Statement: - - Sid: Deny requests that do not use TLS + - Sid: Deny requests that do not use TLS/HTTPS Effect: Deny Principal: '*' Action: s3:* - Resource: !Join ['/', [!GetAtt EgressStoreBucket.Arn, '*']] + Resource: + - !Join ['/', [!GetAtt EgressStoreBucket.Arn, '*']] + - !GetAtt EgressStoreBucket.Arn Condition: Bool: aws:SecureTransport: false @@ -437,6 +443,34 @@ Resources: StringNotEquals: s3:signatureversion: 'AWS4-HMAC-SHA256' + EgressNotificationBucketPolicy: + Condition: EnableEgressStore + Type: AWS::S3::BucketPolicy + Properties: + Bucket: !Ref EgressNotificationBucket + PolicyDocument: + Version: '2012-10-17' + Id: PutObjectPolicy + Statement: + - Sid: Deny requests that do not use TLS/HTTPS + Effect: Deny + Principal: '*' + Action: s3:* + Resource: + - !Join ['/', [!GetAtt EgressNotificationBucket.Arn, '*']] + - !GetAtt EgressNotificationBucket.Arn + Condition: + Bool: + aws:SecureTransport: false + - Sid: Deny requests that do not use SigV4 + Effect: Deny + Principal: '*' + Action: s3:* + Resource: !Join ['/', [!GetAtt EgressNotificationBucket.Arn, '*']] + Condition: + StringNotEquals: + s3:signatureversion: 'AWS4-HMAC-SHA256' + # ============================================================================================= # IAM Roles # ============================================================================================= diff --git a/main/solution/infrastructure/config/infra/cloudformation.yml b/main/solution/infrastructure/config/infra/cloudformation.yml index 088e691c00..8182021660 100644 --- a/main/solution/infrastructure/config/infra/cloudformation.yml +++ b/main/solution/infrastructure/config/infra/cloudformation.yml @@ -34,11 +34,13 @@ Resources: Bucket: !Ref LoggingBucket PolicyDocument: Statement: - - Sid: Deny requests that do not use TLS + - Sid: Deny requests that do not use TLS/HTTPS Effect: Deny Principal: '*' Action: s3:* - Resource: !Join ['/', [!GetAtt LoggingBucket.Arn, '*']] + Resource: + - !Join ['/', [!GetAtt LoggingBucket.Arn, '*']] + - !GetAtt LoggingBucket.Arn Condition: Bool: aws:SecureTransport: false @@ -85,11 +87,13 @@ Resources: AWS: !Join ['', ['arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ', !Ref 'CloudFrontOAI']] Resource: - !Join ['', ['arn:aws:s3:::', !Ref 'WebsiteBucket', '/*']] - - Sid: Deny requests that do not use TLS + - Sid: Deny requests that do not use TLS/HTTPS Effect: Deny Principal: '*' Action: s3:* - Resource: !Join ['/', [!GetAtt WebsiteBucket.Arn, '*']] + Resource: + - !Join ['/', [!GetAtt WebsiteBucket.Arn, '*']] + - !GetAtt WebsiteBucket.Arn Condition: Bool: aws:SecureTransport: false