Menu
I'm trying to use a CloudFormation Template to spin up an S3 Bucket in AWS. One of the requirements for this project is that the bucket be encrypted in place. I've been trying to find a way to set that up via CloudFormation Template (I've read all the documentation I can get my hands on for SSE-S3, KMS, CFT and S3s...). But all signs seem to point to it only being available via the console.
I'm worried I'm just missing something obvious and I wondered if anyone knew how I could use CloudFormation Template(or at least something automated) to set the default encryption of an S3 Bucket to SSE-S3 or SSE-KMS?
590
Server-Side Encryption with AWS KMS keys (SSE-KMS) is similar to SSE-S3, but with some additional benefits and charges for using this service. There are separate permissions for the use of a KMS key that provides added protection against unauthorized access of your objects in Amazon S3.
By default, S3 bucket encryption option is disabled. Select the needed option, for example, AES-256. This is server-side encryption with Amazon S3-managed keys (SSE-S3).
AWS added this feature on January 24th, 2018:
Use the BucketEncryption property to specify default encryption for a bucket using server-side encryption with Amazon S3-managed keys SSE-S3 or AWS KMS-managed Keys (SSE-KMS) bucket.
JSON
{ "Resources": { "MyBucket": { "Type" : "AWS::S3::Bucket", "Properties" : { "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256" } } ] } } } } } YAML
Resources: MyBucket: Type: "AWS::S3::Bucket" Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-bucketencryption.html
56
If you have a specific KMS key use the following
ConfigBucket: Type: AWS::S3::Bucket Properties: BucketName: "mytestbucketwithkmsencryptionkey" AccessControl: PublicRead BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: aws:kms KMSMasterKeyID: "YOUR KMS KEY ARN" If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
