Enable Server Side Encryption with AWS S3-Manged-Keys by default #18
Labels
enhancement
New feature or request
Comments
|
On further reading in https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html it looks like there isn't a way to create a bucket and say "everything in this bucket should be server-side encrypted" - instead, that article suggests adding the following policy to the bucket: {
"Version": "2012-10-17",
"Id": "PutObjectPolicy",
"Statement": [
{
"Sid": "DenyIncorrectEncryptionHeader",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::awsexamplebucket1/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Sid": "DenyUnencryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::awsexamplebucket1/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}This will deny any attempts to PUT an object that fail to specify the As such, I'm going to consider this out-of-scope for this project. If I implement bucket policies in #19 I'll include a mechanism similar to |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Originally posted by @zacaytion in #7 (comment)
The text was updated successfully, but these errors were encountered: