search

amazon-archives / aws-service-operator

AWS Service Operator allows you to create AWS resources using kubectl.
Apache License 2.0
732 stars 97 forks source link

Supporting default s3 Bucket Encryption #215

Open hardboiled opened 5 years ago

hardboiled commented 5 years ago

I wanted to be able to support server-side AES256 encryption by default and attach a policy that prevents non-encrypted assets from being uploaded using something like this:

# part of s3-example-bucket.yaml
apiVersion: service-operator.aws/v1alpha1
kind: CloudFormationTemplate
metadata:
  name: s3bucket
data:
  key: s3-example-bucket.yaml
  template: |
    AWSTemplateFormatVersion: 2010-09-09
    Parameters:
      EnableBucketEncryption:
        Description: >-
          Enables AES256 encryption by default for all objects uploaded
        Type: String
        AllowedValues:
          - 'true'
          - 'false'
        Default: 'true'
# ...
    Resources:
      S3bucket:
        Type: 'AWS::S3::Bucket'
        Properties:
          BucketName: !Ref BucketName
          BucketEncryption: !If
            - EnableBucketEncryption
            ServerSideEncryptionConfiguration:
              - ServerSideEncryptionByDefault:
                SSEAlgorithm: AES256
            - !Ref 'AWS::NoValue'
# ...
      WebsiteBucketPolicy:
        Type: AWS::S3::BucketPolicy
        Condition: UseAsStaticSite
        Properties:
          Bucket: !Ref S3bucket
          PolicyDocument:
            Statement:
            -
              Action:
              - "s3:GetObject"
              Effect: Allow
              Principal: "*"
              Resource:
                Fn::Join:
                  - ""
                  -
                    - "arn:aws:s3:::"
                    - !Ref S3bucket
                    - "/*"
            !If
            - EnableBucketEncryption
            -
              Action:
                "s3:PutObject"
              Effect: Deny
              Principal: "*"
              Condition:
                StringNotEquals:
                  s3:x-amz-server-side-encryption: "aws:kms"
              Resource:
                Fn::Join:
                  - ""
                  -
                    - "arn:aws:s3:::"
                    - !Ref S3bucket
                    - "/*"
            -
              Action:
                "s3:PutObject"
              Effect: Deny
              Principal: "*"
              Condition:
                Null:
                  s3:x-amz-server-side-encryption: 'true'
              Resource:
                Fn::Join:
                  - ""
                  -
                    - "arn:aws:s3:::"
                    - !Ref S3bucket
                    - "/*"
            !Ref 'AWS::NoValue'

It seems like the policy would likely be supported, but the default s3 encryption option isn't in the go generator. Is this on the roadmap?

mhausenblas commented 5 years ago

We're in the process of setting up a new repo, continuing the work there.