This repository was archived by the owner on Nov 7, 2019. It is now read-only.
Supporting default s3 Bucket Encryption #215
Description
I wanted to be able to support server-side AES256 encryption by default and attach a policy that prevents non-encrypted assets from being uploaded using something like this:
# part of s3-example-bucket.yaml
apiVersion: service-operator.aws/v1alpha1
kind: CloudFormationTemplate
metadata:
name: s3bucket
data:
key: s3-example-bucket.yaml
template: |
AWSTemplateFormatVersion: 2010-09-09
Parameters:
EnableBucketEncryption:
Description: >-
Enables AES256 encryption by default for all objects uploaded
Type: String
AllowedValues:
- 'true'
- 'false'
Default: 'true'
# ...
Resources:
S3bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: !Ref BucketName
BucketEncryption: !If
- EnableBucketEncryption
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
- !Ref 'AWS::NoValue'
# ...
WebsiteBucketPolicy:
Type: AWS::S3::BucketPolicy
Condition: UseAsStaticSite
Properties:
Bucket: !Ref S3bucket
PolicyDocument:
Statement:
-
Action:
- "s3:GetObject"
Effect: Allow
Principal: "*"
Resource:
Fn::Join:
- ""
-
- "arn:aws:s3:::"
- !Ref S3bucket
- "/*"
!If
- EnableBucketEncryption
-
Action:
"s3:PutObject"
Effect: Deny
Principal: "*"
Condition:
StringNotEquals:
s3:x-amz-server-side-encryption: "aws:kms"
Resource:
Fn::Join:
- ""
-
- "arn:aws:s3:::"
- !Ref S3bucket
- "/*"
-
Action:
"s3:PutObject"
Effect: Deny
Principal: "*"
Condition:
Null:
s3:x-amz-server-side-encryption: 'true'
Resource:
Fn::Join:
- ""
-
- "arn:aws:s3:::"
- !Ref S3bucket
- "/*"
!Ref 'AWS::NoValue'It seems like the policy would likely be supported, but the default s3 encryption option isn't in the go generator. Is this on the roadmap?