From 26ac0d3bc64fb69115c2da8cefe25c298ac70751 Mon Sep 17 00:00:00 2001
From: Jose Armesto <github@armesto.net>
Date: Tue, 5 Dec 2023 12:53:21 +0100
Subject: [PATCH] Enable transit encryption to S3 bucket

---
 pkg/cloud/services/s3/s3.go      | 14 ++++++++++++++
 pkg/cloud/services/s3/s3_test.go |  4 ++++
 2 files changed, 18 insertions(+)

diff --git a/pkg/cloud/services/s3/s3.go b/pkg/cloud/services/s3/s3.go
index 0db725d85b..cde883d64b 100644
--- a/pkg/cloud/services/s3/s3.go
+++ b/pkg/cloud/services/s3/s3.go
@@ -306,6 +306,20 @@ func (s *Service) bucketPolicy(bucketName string) (string, error) {
 			Action:   []string{"s3:GetObject"},
 			Resource: []string{fmt.Sprintf("arn:%s:s3:::%s/control-plane/*", partition, bucketName)},
 		},
+		{
+			Sid:    "ForceSSLOnlyAccess",
+			Effect: iam.EffectDeny,
+			Principal: map[iam.PrincipalType]iam.PrincipalID{
+				iam.PrincipalAWS: []string{"*"},
+			},
+			Action:   []string{"s3:*"},
+			Resource: []string{fmt.Sprintf("arn:%s:s3:::%s/*", partition, bucketName)},
+			Condition: iam.Conditions{
+				"Bool": map[string]interface{}{
+					"aws:SecureTransport": false,
+				},
+			},
+		},
 	}
 
 	for _, iamInstanceProfile := range bucket.NodesIAMInstanceProfiles {
diff --git a/pkg/cloud/services/s3/s3_test.go b/pkg/cloud/services/s3/s3_test.go
index 51234ea3be..76e43691ec 100644
--- a/pkg/cloud/services/s3/s3_test.go
+++ b/pkg/cloud/services/s3/s3_test.go
@@ -201,6 +201,10 @@ func TestReconcileBucket(t *testing.T) {
 			if !strings.Contains(policy, "arn:aws:iam::foo:role/control-plane.cluster-api-provider-aws.sigs.k8s.io") {
 				t.Errorf("Expected arn to contain the right principal; got: %v", policy)
 			}
+
+			if !strings.Contains(policy, "SecureTransport") {
+				t.Errorf("Expected deny when not using SecureTransport; got: %v", policy)
+			}
 		}).Return(nil, nil).Times(1)
 
 		if err := svc.ReconcileBucket(); err != nil {