How do you set SSE-S3 or SSE-KMS encryption on S3 buckets using Cloud Formation Template?
AWS added this feature on January 24th, 2018:
Use the BucketEncryption property to specify default encryption for a bucket using server-side encryption with Amazon S3-managed keys SSE-S3 or AWS KMS-managed Keys (SSE-KMS) bucket.
JSON
{
"Resources": {
"MyBucket": {
"Type" : "AWS::S3::Bucket",
"Properties" : {
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
}
}
}
}
}
YAML
Resources:
MyBucket:
Type: "AWS::S3::Bucket"
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-bucketencryption.html
If you have a specific KMS key use the following
ConfigBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: "mytestbucketwithkmsencryptionkey"
AccessControl: PublicRead
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: aws:kms
KMSMasterKeyID: "YOUR KMS KEY ARN"
You can also use ForceEncryption option as well:
AWSTemplateFormatVersion: '2010-09-09'
Description: Amazon S3 Bucket with
Resources:
CodeFlexS3Bucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: Private
BucketName: !Join ["-", ["codeflex-example", Ref: "AWS::Region"]]
ForceEncryption:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref CodeFlexS3Bucket
PolicyDocument:
Version: "2008-10-17"
Statement:
- Sid: DenyUnEncryptedObjectUploads
Effect: Deny
Principal: "*"
Action:
- s3:PutObject
Resource:
- !Join ["", ["arn:aws:s3:::", !Ref CodeFlexS3Bucket, "/*"]]
Condition:
StringNotEquals:
"s3:x-amz-server-side-encryption":
- "aws:kms"
DependsOn: CodeFlexS3Bucket
Taken from here: Creating S3 Bucket with KMS Encryption via CloudFormation