To manage bucket encryption using condition in CloudFormation template
0
Hi AWS, I am trying to impose a condition on S3 BucketEncryption property whether it should be customer managed (SSE-KMS) or AWS managed key (SSE-S3). The code for the template is:
# version: 1.0
AWSTemplateFormatVersion: "2010-09-09"
Description: Create standardized S3 bucket using CloudFormation Template
Parameters:
BucketName:
Type: String
Description: "Name of the S3 bucket"
KMSKeyArn:
Type: String
Description: "KMS Key Arn to encrypt S3 bucket"
Default: ""
SSEAlgorithm:
Type: String
Description: "Encryption algorithm for KMS"
AllowedValues:
- aws:kms
- AES256
Conditions:
KMSKeysProvided: !Not [!Equals [!Ref KMSKeyArn, ""]]
Resources:
S3Bucket:
Type: 'AWS::S3::Bucket'
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Properties:
BucketName: !Ref BucketName
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
BucketEncryption:
ServerSideEncryptionConfiguration:
- !If
- KMSKeysProvided
- ServerSideEncryptionByDefault:
SSEAlgorithm: !Ref SSEAlgorithm
KMSMasterKeyID: !Ref KMSKeyArn
BucketKeyEnabled: true
- !Ref "AWS::NoValue"
When I am selecting the SSEAlgorithm as AES256 I am receiving this error Property ServerSideEncryptionConfiguration cannot be empty. I know KMSMasterKeyID should not be present when the SSEAlgorithm is of AES256 type but I am confused how to get rid of this error.
Please help.
質問済み 1年前465ビュー
2回答
- 新しい順
- 投票が多い順
- コメントが多い順
1
Hello,
I hope you're doing well!
You are right. KMSMasterKeyID should not be present when the SSEAlgorithm is of AES256 type. So, you should check SSEAlgorithm type. Not KMSKeysProvided. Please check the updated following example.
# version: 1.0
AWSTemplateFormatVersion: "2010-09-09"
Description: Create standardized S3 bucket using CloudFormation Template
Parameters:
BucketName:
Type: String
Description: "Name of the S3 bucket"
KMSKeyArn:
Type: String
Description: "KMS Key Arn to encrypt S3 bucket"
Default: ""
SSEAlgorithm:
Type: String
Description: "Encryption algorithm for KMS"
AllowedValues:
- aws:kms
- AES256
Conditions:
KMSKeysProvided: !Not [!Equals [!Ref KMSKeyArn, ""]]
Conditions:
AES256: !Equals [!Ref SSEAlgorithm, "AES256"]
Resources:
S3Bucket:
Type: 'AWS::S3::Bucket'
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Properties:
BucketName: !Ref BucketName
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
BucketEncryption:
ServerSideEncryptionConfiguration:
- !If
- AES256
- ServerSideEncryptionByDefault:
SSEAlgorithm: !Ref SSEAlgorithm
BucketKeyEnabled: true
- ServerSideEncryptionByDefault:
SSEAlgorithm: !Ref SSEAlgorithm
KMSMasterKeyID: !Ref KMSKeyArn
BucketKeyEnabled: true
I hope this to be helpful.
回答済み 1年前
0
The working code:
# version: 1.0
AWSTemplateFormatVersion: "2010-09-09"
Description: Create standardized S3 bucket using CloudFormation Template
Parameters:
BucketName:
Type: String
Description: "Name of the S3 bucket"
KMSKeyArn:
Type: String
Description: "KMS Key Arn to encrypt S3 bucket"
Default: ""
SSEAlgorithm:
Type: String
Description: "Encryption algorithm for KMS"
AllowedValues:
- aws:kms
- AES256
Conditions:
AES256: !Equals [!Ref SSEAlgorithm, "AES256"]
Resources:
S3Bucket:
Type: 'AWS::S3::Bucket'
DeletionPolicy: Retain
UpdateReplacePolicy: Retain
Properties:
BucketName: !Ref BucketName
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
BucketEncryption:
ServerSideEncryptionConfiguration:
- !If
- AES256
- ServerSideEncryptionByDefault:
SSEAlgorithm: !Ref SSEAlgorithm
BucketKeyEnabled: true
- ServerSideEncryptionByDefault:
SSEAlgorithm: !Ref SSEAlgorithm
KMSMasterKeyID: !Ref KMSKeyArn
BucketKeyEnabled: true
回答済み 1年前
関連するコンテンツ
AWS公式更新しました 2年前
