如何使用云形成模板在 S3 存储桶上设置 SSE-S3 或 SSE-KMS 加密?
How do you set SSE-S3 or SSE-KMS encryption on S3 buckets using Cloud Formation Template?
我正在尝试使用 CloudFormation 模板在 AWS 中启动 S3 存储桶。该项目的要求之一是对存储桶进行就地加密。我一直在尝试找到一种通过 CloudFormation 模板进行设置的方法(我已经阅读了所有我可以获得的关于 SSE-S3、KMS、CFT 和 S3s 的文档……)。但所有迹象似乎都表明它只能通过控制台使用。
我担心我只是遗漏了一些明显的东西,我想知道是否有人知道我如何使用 CloudFormation 模板(或至少是自动化的东西)将 S3 存储桶的默认加密设置为 SSE-S3 或 SSE -KMS?
AWS 添加了此功能on January 24th, 2018:
Use the BucketEncryption property to specify default encryption for a bucket using server-side encryption with Amazon S3-managed keys SSE-S3 or AWS KMS-managed Keys (SSE-KMS) bucket.
JSON
{
"Resources": {
"MyBucket": {
"Type" : "AWS::S3::Bucket",
"Properties" : {
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
}
}
}
}
}
YAML
Resources:
MyBucket:
Type: "AWS::S3::Bucket"
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-bucketencryption.html
您也可以使用 ForceEncryption 选项:
AWSTemplateFormatVersion: '2010-09-09'
Description: Amazon S3 Bucket with
Resources:
CodeFlexS3Bucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: Private
BucketName: !Join ["-", ["codeflex-example", Ref: "AWS::Region"]]
ForceEncryption:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref CodeFlexS3Bucket
PolicyDocument:
Version: "2008-10-17"
Statement:
- Sid: DenyUnEncryptedObjectUploads
Effect: Deny
Principal: "*"
Action:
- s3:PutObject
Resource:
- !Join ["", ["arn:aws:s3:::", !Ref CodeFlexS3Bucket, "/*"]]
Condition:
StringNotEquals:
"s3:x-amz-server-side-encryption":
- "aws:kms"
DependsOn: CodeFlexS3Bucket
取自此处:Creating S3 Bucket with KMS Encryption via CloudFormation
如果您有特定的 KMS 密钥,请使用以下内容
ConfigBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: "mytestbucketwithkmsencryptionkey"
AccessControl: PublicRead
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: aws:kms
KMSMasterKeyID: "YOUR KMS KEY ARN"
我正在尝试使用 CloudFormation 模板在 AWS 中启动 S3 存储桶。该项目的要求之一是对存储桶进行就地加密。我一直在尝试找到一种通过 CloudFormation 模板进行设置的方法(我已经阅读了所有我可以获得的关于 SSE-S3、KMS、CFT 和 S3s 的文档……)。但所有迹象似乎都表明它只能通过控制台使用。
我担心我只是遗漏了一些明显的东西,我想知道是否有人知道我如何使用 CloudFormation 模板(或至少是自动化的东西)将 S3 存储桶的默认加密设置为 SSE-S3 或 SSE -KMS?
AWS 添加了此功能on January 24th, 2018:
Use the BucketEncryption property to specify default encryption for a bucket using server-side encryption with Amazon S3-managed keys SSE-S3 or AWS KMS-managed Keys (SSE-KMS) bucket.
JSON
{
"Resources": {
"MyBucket": {
"Type" : "AWS::S3::Bucket",
"Properties" : {
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
}
}
}
}
}
YAML
Resources:
MyBucket:
Type: "AWS::S3::Bucket"
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-bucketencryption.html
您也可以使用 ForceEncryption 选项:
AWSTemplateFormatVersion: '2010-09-09'
Description: Amazon S3 Bucket with
Resources:
CodeFlexS3Bucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: Private
BucketName: !Join ["-", ["codeflex-example", Ref: "AWS::Region"]]
ForceEncryption:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref CodeFlexS3Bucket
PolicyDocument:
Version: "2008-10-17"
Statement:
- Sid: DenyUnEncryptedObjectUploads
Effect: Deny
Principal: "*"
Action:
- s3:PutObject
Resource:
- !Join ["", ["arn:aws:s3:::", !Ref CodeFlexS3Bucket, "/*"]]
Condition:
StringNotEquals:
"s3:x-amz-server-side-encryption":
- "aws:kms"
DependsOn: CodeFlexS3Bucket
取自此处:Creating S3 Bucket with KMS Encryption via CloudFormation
如果您有特定的 KMS 密钥,请使用以下内容
ConfigBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: "mytestbucketwithkmsencryptionkey"
AccessControl: PublicRead
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: aws:kms
KMSMasterKeyID: "YOUR KMS KEY ARN"