The Bucket Policy ForceSSLOnlyAccess is added in a wrong way and Security Hub still mention it as unsecure

[argo1984]

Checklist

• [X] Upgrade Terraspace: Are you using the latest version of Terraspace? This allows Terraspace to fix issues fast. There's an Upgrading Guide: https://terraspace.cloud/docs/misc/upgrading/
• [X] Reproducibility: Are you reporting a bug others will be able to reproduce and not asking a question. If you're unsure or want to ask a question, do so on https://community.boltops.com
• [X] Code sample: Have you put together a code sample to reproduce the issue and make it available? Code samples help speed up fixes dramatically. If it's an easily reproducible issue, then code samples are not needed. If you're unsure, please include a code sample.

My Environment

Software	Version
Operating System	Podman Image bookworm/sid
Terraform	v1.3.0
Terraspace	2.2.2
Ruby	ruby 3.0.3p157 (2021-11-24 revision 3fb7d2cadc) [x86_64-linux ]

---

Expected Behaviour

I added the parameter "config.s3.enforce_ssl = true" in the aws.rb and terraspace should create the following bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ForceSSLOnlyAccess",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::BUCKET_ID/*",
                "arn:aws:s3:::BUCKET_ID"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

Current Behavior

The following Bucket Policy is being created and Security Hub still have the following finding: S3.5 S3 buckets should require requests to use Secure Socket Layer

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ForceSSLOnlyAccess",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::BUCKET_ID/*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

Step-by-step reproduction instructions

Activate config.s3.enforce_ssl = true in aws.rb

Code Sample

TerraspacePluginAws.configure do |config|
  config.auto_create = true # set to false to completely disable auto creation
  config.tag_existing = true # if bucket or dynamodb already exists will tag them. Tags are appended.

  config.s3.access_logging = true # false is the default setting
  config.s3.block_public_access = true
  config.s3.encryption = true
  config.s3.enforce_ssl = true
  config.s3.lifecycle = true
  config.s3.versioning = true
  config.s3.secure_existing = true # run the security controls on existing buckets. by default, only run on newly created bucket the first time
  # config.s3.tags = {} # override config.tags setting

  config.dynamodb.encryption = true
  config.dynamodb.kms_master_key_id = "alias/aws/dynamodb"
  config.dynamodb.sse_type = "KMS"
  # config.dynamodb.tags = {} # override config.tags setting
end

Solution Suggestion

Add the policy which is suggested by AWS: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#s3-5-remediation