41

I'm trying to use a CloudFormation Template to spin up an S3 Bucket in AWS. One of the requirements for this project is that the bucket be encrypted in place. I've been trying to find a way to set that up via CloudFormation Template (I've read all the documentation I can get my hands on for SSE-S3, KMS, CFT and S3s...). But all signs seem to point to it only being available via the console.

I'm worried I'm just missing something obvious and I wondered if anyone knew how I could use CloudFormation Template(or at least something automated) to set the default encryption of an S3 Bucket to SSE-S3 or SSE-KMS?

Improve this question
3

3 Answers 3

Reset to default
57

AWS added this feature on January 24th, 2018:

Use the BucketEncryption property to specify default encryption for a bucket using server-side encryption with Amazon S3-managed keys SSE-S3 or AWS KMS-managed Keys (SSE-KMS) bucket.

JSON

{
  "Resources": {
    "MyBucket": {
      "Type" : "AWS::S3::Bucket",
      "Properties" : {
        "BucketEncryption": {
          "ServerSideEncryptionConfiguration": [
            {
              "ServerSideEncryptionByDefault": {
                "SSEAlgorithm": "AES256"
              }
            }
          ]
        }
      }
    }
  }
}

YAML

Resources:
  MyBucket:
    Type: "AWS::S3::Bucket"
    Properties: 
      BucketEncryption: 
        ServerSideEncryptionConfiguration: 
        - ServerSideEncryptionByDefault:
            SSEAlgorithm: AES256

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-bucketencryption.html

Improve this answer
0
14

If you have a specific KMS key use the following

  ConfigBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: "mytestbucketwithkmsencryptionkey"
      AccessControl: PublicRead
      BucketEncryption: 
        ServerSideEncryptionConfiguration: 
        - ServerSideEncryptionByDefault:
            SSEAlgorithm: aws:kms
            KMSMasterKeyID: "YOUR KMS KEY ARN"
Improve this answer
1
  • 2
    Can you update this to show how to generate the KMSMasterKey, and then require that key only for the bucket.
    – MattG
    Aug 28, 2019 at 5:18
4

You can also use ForceEncryption option as well:

AWSTemplateFormatVersion: '2010-09-09'
Description: Amazon S3 Bucket with 

Resources:
  CodeFlexS3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: Private
      BucketName: !Join ["-", ["codeflex-example", Ref: "AWS::Region"]]

  ForceEncryption:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref CodeFlexS3Bucket
      PolicyDocument:
        Version: "2008-10-17"
        Statement:
          - Sid: DenyUnEncryptedObjectUploads
            Effect: Deny
            Principal: "*"
            Action:
              - s3:PutObject
            Resource:
              - !Join ["", ["arn:aws:s3:::", !Ref CodeFlexS3Bucket, "/*"]]
            Condition:
              StringNotEquals:
                "s3:x-amz-server-side-encryption":
                  - "aws:kms"
    DependsOn: CodeFlexS3Bucket

Taken from here: Creating S3 Bucket with KMS Encryption via CloudFormation

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.