S3 - Encryption¶
Enable Bucket Encryption¶
The following policy will enable bucket encryption on all s3 buckets.
policies:
- name: s3-set-bucket-encryption
resource: s3
actions:
- type: set-bucket-encryption
crypto: AES256
enabled: True
Remediate Existing¶
Will scan all keys in the bucket for unencrypted keys and by default remediate them such that they are encrypted.
policies:
- name: s3-key-encryption
resource: s3
actions:
- type: encrypt-keys
crypto: aws:kms
Options¶
crypto
for determining the crypto mechanism, this can either beaws:kms
orAES256
(default)
key-id
for specifiying the customer KMS key to use for the SSE, if thecrypto
value passed isaws:kms
the AWS default KMS key will be used instead.
report-only
generate reports of unencrypted keys in a bucket, but do not remediate them.
Remediate Incoming¶
Note: the set-bucket-encryption
action is a much more effective way of
enabling encryption on a bucket.
Will scan all newly created objects and remediate them such that they are encrypted.
policies:
- name: s3-attach-encryption
resource: s3
actions:
- type: attach-encrypt
role: arn:aws:iam::123456789012:role/my-role
topic: arn:aws:sns::123456789012:my-topic
Options¶
role
for the role the encrypting Lambda should run as (not necessary if you provide--assume-role
on the command line).
topic
for the SNS topic to subscribe the Lambda to. If you settopic
todefault
then we will reuse any existing SNS topic that specifiess3:ObjectCreated:*
, or set one up if needed. Iftopic
is missing, then we’ll attach via a bucket notification.
Bucket Policy¶
Note: the set-bucket-encryption
action is a much more effective way of
enabling encryption on a bucket.
Adds an encryption required bucket policy and merges with extant policy statements. Note filters should be used to avoid hitting any buckets that are being written to by AWS services, as these do not write encrypted and will be blocked by this policy.
policies:
- name: s3-encryption-policy
resource: s3
actions:
- encryption-policy