Skip to main content
Security Modules 1.4.0Last updated in version 1.4.0

S3 TLS Enforcement SCP

View Source Release Notes

This Terraform Module creates an AWS Organizations Service Control Policy (SCP) that denies all S3 operations not using TLS and attaches it to the organization root. This provides defense-in-depth for CIS compliance across all member accounts by ensuring that no account in the organization can make unencrypted S3 requests.

Features

  • Creates an SCP that denies all s3:* actions when aws:SecureTransport is false

  • Attaches the policy to the AWS Organizations root, enforcing it across all member accounts

  • Supports conditional resource creation via the create_resources variable

Learn

Note

This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read How to use the Gruntwork Infrastructure as Code Library!

Core concepts

Repo organization

  • modules: the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules.

  • examples: This folder contains working examples of how to use the submodules.

  • test: Automated tests for the modules and examples.

Deploy

Non-production deployment (quick start for learning)

If you just want to try this module out, check out the following resources:

Production deployment

If you want to deploy this module in production, check out the following resources:

Note

This module must be deployed from the management account (root account) of your AWS Organization, as SCPs can only be created and attached there.

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S S3-TLS-ENFORCEMENT-SCP MODULE
# ------------------------------------------------------------------------------------------------------

module "s_3_tls_enforcement_scp" {

  source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/s3-tls-enforcement-scp?ref=v1.4.0"

  # ----------------------------------------------------------------------------------------------------
  # REQUIRED VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # A name prefix to use for the SCP policy name.
  name_prefix = <string>

  # The ID of the AWS Organizations root, organizational unit, or account to
  # attach the SCP to.
  target_id = <string>

  # ----------------------------------------------------------------------------------------------------
  # OPTIONAL VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # Set to false to skip creating resources. This is a workaround for
  # Terraform's lack of support for conditional modules.
  create_resources = true

}


Reference

Required

name_prefixstringrequired

A name prefix to use for the SCP policy name.

target_idstringrequired

The ID of the AWS Organizations root, organizational unit, or account to attach the SCP to.

Optional

create_resourcesbooloptional

Set to false to skip creating resources. This is a workaround for Terraform's lack of support for conditional modules.

true