This is AWS CloudFormation YAML template for creation Amazon S3 bucket which restricts unsecured data (SSE-KMS).
AWSTemplateFormatVersion: '2010-09-09' Description: Amazon S3 Bucket with Resources: CodeFlexS3Bucket: Type: AWS::S3::Bucket Properties: AccessControl: Private BucketName: !Join ["-", ["codeflex-example", Ref: "AWS::Region"]] ForceEncryption: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref CodeFlexS3Bucket PolicyDocument: Version: "2008-10-17" Statement: - Sid: DenyUnEncryptedObjectUploads Effect: Deny Principal: "*" Action: - s3:PutObject Resource: - !Join ["", ["arn:aws:s3:::", !Ref CodeFlexS3Bucket, "/*"]] Condition: StringNotEquals: "s3:x-amz-server-side-encryption": - "aws:kms" DependsOn: CodeFlexS3Bucket
So what we have here?
We’re creating S3 bucket named codeflex-example-us-west-2
and applying on it ForceEncryption
option that allows to upload only encrypted data with KMS.