S3 - Encryption
Enable Bucket Encryption
The following policy will enable bucket encryption on all s3 buckets.
policies:
- name: s3-set-bucket-encryption
resource: s3
actions:
- type: set-bucket-encryption
crypto: AES256
enabled: True
Remediate Existing
Will scan all keys in the bucket for unencrypted keys and by default remediate them such that they are encrypted.
policies:
- name: s3-key-encryption
resource: s3
actions:
- type: encrypt-keys
crypto: aws:kms
Options
cryptofor determining the crypto mechanism, this can either beaws:kmsorAES256(default)
key-idfor specifying the customer KMS key to use for the SSE, if thecryptovalue passed isaws:kmsthe AWS default KMS key will be used instead.
report-onlygenerate reports of unencrypted keys in a bucket, but do not remediate them.
Remediate Incoming
Note: the set-bucket-encryption action is a much more effective way of
enabling encryption on a bucket.
Will scan all newly created objects and remediate them such that they are encrypted.
policies:
- name: s3-attach-encryption
resource: s3
actions:
- type: attach-encrypt
role: arn:aws:iam::123456789012:role/my-role
topic: arn:aws:sns::123456789012:my-topic
Options
rolefor the role the encrypting Lambda should run as (not necessary if you provide--assume-roleon the command line).
topicfor the SNS topic to subscribe the Lambda to. If you settopictodefaultthen we will reuse any existing SNS topic that specifiess3:ObjectCreated:*, or set one up if needed. Iftopicis missing, then we’ll attach via a bucket notification.
Bucket Policy
Note: the set-bucket-encryption action is a much more effective way of
enabling encryption on a bucket.
Adds an encryption required bucket policy and merges with extant policy statements. Note filters should be used to avoid hitting any buckets that are being written to by AWS services, as these do not write encrypted and will be blocked by this policy.
policies:
- name: s3-encryption-policy
resource: s3
actions:
- encryption-policy