How do you set SSE-S3 or SSE-KMS encryption on S3 buckets using Cloud Formation Template?
Solution 1
AWS added this feature on January 24th, 2018:
Use the BucketEncryption property to specify default encryption for a bucket using server-side encryption with Amazon S3-managed keys SSE-S3 or AWS KMS-managed Keys (SSE-KMS) bucket.
JSON
{
"Resources": {
"MyBucket": {
"Type" : "AWS::S3::Bucket",
"Properties" : {
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
}
}
}
}
}
YAML
Resources:
MyBucket:
Type: "AWS::S3::Bucket"
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-bucketencryption.html
Solution 2
If you have a specific KMS key use the following
ConfigBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: "mytestbucketwithkmsencryptionkey"
AccessControl: PublicRead
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: aws:kms
KMSMasterKeyID: "YOUR KMS KEY ARN"
Solution 3
You can also use ForceEncryption
option as well:
AWSTemplateFormatVersion: '2010-09-09'
Description: Amazon S3 Bucket with
Resources:
CodeFlexS3Bucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: Private
BucketName: !Join ["-", ["codeflex-example", Ref: "AWS::Region"]]
ForceEncryption:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref CodeFlexS3Bucket
PolicyDocument:
Version: "2008-10-17"
Statement:
- Sid: DenyUnEncryptedObjectUploads
Effect: Deny
Principal: "*"
Action:
- s3:PutObject
Resource:
- !Join ["", ["arn:aws:s3:::", !Ref CodeFlexS3Bucket, "/*"]]
Condition:
StringNotEquals:
"s3:x-amz-server-side-encryption":
- "aws:kms"
DependsOn: CodeFlexS3Bucket
Taken from here: Creating S3 Bucket with KMS Encryption via CloudFormation
Jay Carr
Just working to write some applications in Java that will help with financial reporting. This would probably be easier if I was better at Java... Just need to keep at it I suppose ;-). Any and all advice is welcome.
Updated on June 28, 2020Comments
-
Jay Carr almost 4 years
I'm trying to use a CloudFormation Template to spin up an S3 Bucket in AWS. One of the requirements for this project is that the bucket be encrypted in place. I've been trying to find a way to set that up via CloudFormation Template (I've read all the documentation I can get my hands on for SSE-S3, KMS, CFT and S3s...). But all signs seem to point to it only being available via the console.
I'm worried I'm just missing something obvious and I wondered if anyone knew how I could use CloudFormation Template(or at least something automated) to set the default encryption of an S3 Bucket to SSE-S3 or SSE-KMS?
-
MattG over 4 yearsCan you update this to show how to generate the KMSMasterKey, and then require that key only for the bucket.