From 9b84dafdd117a9a65eb3e4e60715f2d162ed2100 Mon Sep 17 00:00:00 2001
From: Adithya Kolla <kolladit@amazon.com>
Date: Mon, 16 Oct 2023 17:23:41 -0700
Subject: [PATCH] enforce HTTPS for pipeliene bucket

---
 internal/pkg/template/templates/app/cf.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/internal/pkg/template/templates/app/cf.yml b/internal/pkg/template/templates/app/cf.yml
index 449b012ac9d..6190ea2d78b 100644
--- a/internal/pkg/template/templates/app/cf.yml
+++ b/internal/pkg/template/templates/app/cf.yml
@@ -91,6 +91,16 @@ Resources:
                 s3:x-amz-server-side-encryption: 'aws:kms'
               'Null':
                 s3:x-amz-server-side-encryption: false
+          - Sid: ForceHTTPS
+            Effect: Deny
+            Principal: "*"
+            Action: s3:*
+            Resource:
+              - !Sub ${PipelineBuiltArtifactBucket.Arn}
+              - !Sub ${PipelineBuiltArtifactBucket.Arn}/*
+            Condition:
+              Bool:
+                aws:SecureTransport: false
 
   PipelineBuiltArtifactBucket:
     Type: AWS::S3::Bucket