发表新帖
发表新帖

How do you set SSE-S3 or SSE-KMS encryption on S3 buckets using Cloud Formation Template?

前端 未结
关注
3 925
耶瑟儿~
耶瑟儿~ 2020-12-16 10:20

I\'m trying to use a CloudFormation Template to spin up an S3 Bucket in AWS. One of the requirements for this project is that the bucket be encrypted in place. I\'ve been

相关标签:
3条回答
  • 小蘑菇
    2020-12-16 10:53

    AWS added this feature on January 24th, 2018:

    Use the BucketEncryption property to specify default encryption for a bucket using server-side encryption with Amazon S3-managed keys SSE-S3 or AWS KMS-managed Keys (SSE-KMS) bucket.

    JSON

    {
  "Resources": {
    "MyBucket": {
      "Type" : "AWS::S3::Bucket",
      "Properties" : {
        "BucketEncryption": {
          "ServerSideEncryptionConfiguration": [
            {
              "ServerSideEncryptionByDefault": {
                "SSEAlgorithm": "AES256"
              }
            }
          ]
        }
      }
    }
  }
}

    YAML

    Resources:
  MyBucket:
    Type: "AWS::S3::Bucket"
    Properties: 
      BucketEncryption: 
        ServerSideEncryptionConfiguration: 
        - ServerSideEncryptionByDefault:
            SSEAlgorithm: AES256

    https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-bucketencryption.html

    0 讨论(0)
  • 迷失自我
    2020-12-16 11:16

    You can also use ForceEncryption option as well:

    AWSTemplateFormatVersion: '2010-09-09'
Description: Amazon S3 Bucket with 

Resources:
  CodeFlexS3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: Private
      BucketName: !Join ["-", ["codeflex-example", Ref: "AWS::Region"]]

  ForceEncryption:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref CodeFlexS3Bucket
      PolicyDocument:
        Version: "2008-10-17"
        Statement:
          - Sid: DenyUnEncryptedObjectUploads
            Effect: Deny
            Principal: "*"
            Action:
              - s3:PutObject
            Resource:
              - !Join ["", ["arn:aws:s3:::", !Ref CodeFlexS3Bucket, "/*"]]
            Condition:
              StringNotEquals:
                "s3:x-amz-server-side-encryption":
                  - "aws:kms"
    DependsOn: CodeFlexS3Bucket

    Taken from here: Creating S3 Bucket with KMS Encryption via CloudFormation

    0 讨论(0)
  • 一整个雨季
    2020-12-16 11:19

    If you have a specific KMS key use the following

      ConfigBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: "mytestbucketwithkmsencryptionkey"
      AccessControl: PublicRead
      BucketEncryption: 
        ServerSideEncryptionConfiguration: 
        - ServerSideEncryptionByDefault:
            SSEAlgorithm: aws:kms
            KMSMasterKeyID: "YOUR KMS KEY ARN"
    0 讨论(0)
 看不清?
提交回复
热议问题