Creating S3 Bucket with KMS Encryption via CloudFormation

By
Yuri Bondarenko
-

This is AWS CloudFormation YAML template for creation Amazon S3 bucket which restricts unsecured data (SSE-KMS).

 

AWSTemplateFormatVersion: '2010-09-09'
Description: Amazon S3 Bucket with 

Resources:
  CodeFlexS3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: Private
      BucketName: !Join ["-", ["codeflex-example", Ref: "AWS::Region"]]

  ForceEncryption:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref CodeFlexS3Bucket
      PolicyDocument:
        Version: "2008-10-17"
        Statement:
          - Sid: DenyUnEncryptedObjectUploads
            Effect: Deny
            Principal: "*"
            Action:
              - s3:PutObject
            Resource:
              - !Join ["", ["arn:aws:s3:::", !Ref CodeFlexS3Bucket, "/*"]]
            Condition:
              StringNotEquals:
                "s3:x-amz-server-side-encryption":
                  - "aws:kms"
    DependsOn: CodeFlexS3Bucket

So what we have here?
We’re creating S3 bucket named codeflex-example-us-west-2 and applying on it ForceEncryption option that allows to upload only encrypted data with KMS.

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.