Enable Server Side Encryption with AWS S3-Manged-Keys by default

Question

Enable Server Side Encryption with AWS S3-Manged-Keys by default

simonw opened this issue 3 years ago · 1 comments

Enable Server Side Encryption with AWS S3-Manged-Keys by default

Originally posted by @zacaytion in #7 (comment)

Answer 1 · 2021-11-08T22:08:17.000Z

On further reading in https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html it looks like there isn't a way to create a bucket and say "everything in this bucket should be server-side encrypted" - instead, that article suggests adding the following policy to the bucket:

{
  "Version": "2012-10-17",
  "Id": "PutObjectPolicy",
  "Statement": [
    {
      "Sid": "DenyIncorrectEncryptionHeader",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::awsexamplebucket1/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    },
    {
      "Sid": "DenyUnencryptedObjectUploads",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::awsexamplebucket1/*",
      "Condition": {
        "Null": {
          "s3:x-amz-server-side-encryption": "true"
        }
      }
    }
  ]
}

This will deny any attempts to PUT an object that fail to specify the x-amz-server-side-encryption: AES256 header.

As such, I'm going to consider this out-of-scope for this project. If I implement bucket policies in #19 I'll include a mechanism similar to --policy from #14 such that people who want to do this can specify their own custom bucket policy.