From 3c90329d1a859200c2ca20be99dbf4647cb325c3 Mon Sep 17 00:00:00 2001
From: Edd Almond <edd.almond1@nhs.net>
Date: Fri, 20 Jun 2025 14:56:50 +0100
Subject: [PATCH 1/2] bugfix - deny all insecure traffic to all s3

---
 infrastructure/modules/s3/s3.tf               | 63 +++++++++++++++++++
 .../stacks/api-layer/iam_policies.tf          | 34 ----------
 2 files changed, 63 insertions(+), 34 deletions(-)

diff --git a/infrastructure/modules/s3/s3.tf b/infrastructure/modules/s3/s3.tf
index 17584a21e..0bd678d15 100644
--- a/infrastructure/modules/s3/s3.tf
+++ b/infrastructure/modules/s3/s3.tf
@@ -14,6 +14,39 @@ resource "aws_s3_bucket_versioning" "storage_bucket_versioning_config" {
   }
 }
 
+# ensure only secure transport is allowed
+
+resource "aws_s3_bucket_policy" "tfstate_bucket" {
+  bucket = aws_s3_bucket.storage_bucket.id
+  policy = data.aws_iam_policy_document.storage_s3_bucket_policy.json
+}
+
+data "aws_iam_policy_document" "storage_s3_bucket_policy" {
+  statement {
+    sid = "AllowSslRequestsOnly"
+    actions = [
+      "s3:*",
+    ]
+    effect = "Deny"
+    resources = [
+      aws_s3_bucket.storage_bucket.arn,
+      "${aws_s3_bucket.storage_bucket.arn}/*",
+    ]
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+    condition {
+      test = "Bool"
+      values = [
+        "false",
+      ]
+
+      variable = "aws:SecureTransport"
+    }
+  }
+}
+
 # Block public access to the bucket
 resource "aws_s3_bucket_public_access_block" "storage_bucket_block_public_access" {
   bucket = aws_s3_bucket.storage_bucket.id
@@ -77,6 +110,36 @@ resource "aws_s3_bucket_logging" "storage_bucket_logging_config" {
   target_prefix = "bucket_logs/"
 }
 
+resource "aws_s3_bucket_policy" "storage_bucket_access_logs" {
+  bucket = aws_s3_bucket.storage_bucket_access_logs.id
+  policy = data.aws_iam_policy_document.access_logs_s3_bucket_policy.json
+}
+data "aws_iam_policy_document" "access_logs_s3_bucket_policy" {
+  statement {
+    sid = "AllowSslRequestsOnly"
+    actions = [
+      "s3:*",
+    ]
+    effect = "Deny"
+    resources = [
+      aws_s3_bucket.storage_bucket_access_logs.arn,
+      "${aws_s3_bucket.storage_bucket_access_logs.arn}/*",
+    ]
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+    condition {
+      test = "Bool"
+      values = [
+        "false",
+      ]
+
+      variable = "aws:SecureTransport"
+    }
+  }
+}
+
 resource "aws_s3_bucket_server_side_encryption_configuration" "storage_bucket_access_logs_server_side_encryption_config" {
   bucket = aws_s3_bucket.storage_bucket_access_logs.id
 
diff --git a/infrastructure/stacks/api-layer/iam_policies.tf b/infrastructure/stacks/api-layer/iam_policies.tf
index 338299b6d..4890bb3d6 100644
--- a/infrastructure/stacks/api-layer/iam_policies.tf
+++ b/infrastructure/stacks/api-layer/iam_policies.tf
@@ -29,39 +29,6 @@ resource "aws_iam_role_policy" "external_dynamodb_write_policy" {
   policy = data.aws_iam_policy_document.dynamodb_write_policy_doc.json
 }
 
-
-# Deny all S3 actions on the access logs bucket unless requests use secure (SSL) transport.
-data "aws_iam_policy_document" "storage_bucket_access_logs_policy" {
-  statement {
-    sid = "AllowSSLRequestsOnly"
-    actions = [
-      "s3:*",
-    ]
-    effect = "Deny"
-    resources = [
-      module.s3_rules_bucket.storage_bucket_access_logs_arn,
-      "${module.s3_rules_bucket.storage_bucket_access_logs_arn}/*",
-    ]
-    principals {
-      type        = "*"
-      identifiers = ["*"]
-    }
-    condition {
-      test = "Bool"
-      values = [
-        "false",
-      ]
-
-      variable = "aws:SecureTransport"
-    }
-  }
-}
-
-resource "aws_s3_bucket_policy" "storage_bucket_access_logs_policy" {
-  bucket = module.s3_rules_bucket.storage_bucket_access_logs_id
-  policy = data.aws_iam_policy_document.storage_bucket_access_logs_policy.json
-}
-
 # Policy doc for S3 Rules bucket
 data "aws_iam_policy_document" "s3_rules_bucket_policy" {
   statement {
@@ -82,7 +49,6 @@ data "aws_iam_policy_document" "s3_rules_bucket_policy" {
   }
 }
 
-
 # Attach s3 read policy to Lambda role
 resource "aws_iam_role_policy" "lambda_s3_read_policy" {
   name   = "S3ReadAccess"

From f5ed153a73f01086ea0abf5d71a87f097b67b152 Mon Sep 17 00:00:00 2001
From: Edd Almond <edd.almond1@nhs.net>
Date: Mon, 23 Jun 2025 13:48:36 +0100
Subject: [PATCH 2/2] sefsev

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 6820d8cab..d96c6f18d 100644
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,5 @@
 # This file is for you! Edit it to implement your own hooks (make targets) into
-# the project as automated steps to be executed on locally and in the CD pipeline.
+# the project as automated steps to be executed on locally and in the CD pipeline
 # ==============================================================================
 include scripts/init.mk