To manage bucket encryption using condition in CloudFormation template

0

Hi AWS, I am trying to impose a condition on S3 BucketEncryption property whether it should be customer managed (SSE-KMS) or AWS managed key (SSE-S3). The code for the template is:

# version: 1.0
AWSTemplateFormatVersion: "2010-09-09"
Description: Create standardized S3 bucket using CloudFormation Template

Parameters:
  BucketName:
    Type: String
    Description: "Name of the S3 bucket"
  KMSKeyArn:
    Type: String
    Description: "KMS Key Arn to encrypt S3 bucket"
    Default: ""
  SSEAlgorithm:
    Type: String
    Description: "Encryption algorithm for KMS"
    AllowedValues:
      - aws:kms
      - AES256

Conditions:
  KMSKeysProvided: !Not [!Equals [!Ref KMSKeyArn, ""]]

Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket'
    DeletionPolicy: Retain
    UpdateReplacePolicy: Retain
    Properties:
      BucketName: !Ref BucketName
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      BucketEncryption: 
        ServerSideEncryptionConfiguration: 
        - !If
          - KMSKeysProvided
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: !Ref SSEAlgorithm
              KMSMasterKeyID: !Ref KMSKeyArn
            BucketKeyEnabled: true
          - !Ref "AWS::NoValue"

When I am selecting the SSEAlgorithm as AES256 I am receiving this error Property ServerSideEncryptionConfiguration cannot be empty. I know KMSMasterKeyID should not be present when the SSEAlgorithm is of AES256 type but I am confused how to get rid of this error.

Please help.

profile picture
asked a year ago437 views
2 Answers
1
Accepted Answer

Hello,

I hope you're doing well!

You are right. KMSMasterKeyID should not be present when the SSEAlgorithm is of AES256 type. So, you should check SSEAlgorithm type. Not KMSKeysProvided. Please check the updated following example.

# version: 1.0
AWSTemplateFormatVersion: "2010-09-09"
Description: Create standardized S3 bucket using CloudFormation Template

Parameters:
  BucketName:
    Type: String
    Description: "Name of the S3 bucket"
  KMSKeyArn:
    Type: String
    Description: "KMS Key Arn to encrypt S3 bucket"
    Default: ""
  SSEAlgorithm:
    Type: String
    Description: "Encryption algorithm for KMS"
    AllowedValues:
      - aws:kms
      - AES256

Conditions:
  KMSKeysProvided: !Not [!Equals [!Ref KMSKeyArn, ""]]

Conditions:
  AES256: !Equals [!Ref SSEAlgorithm, "AES256"]

Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket'
    DeletionPolicy: Retain
    UpdateReplacePolicy: Retain
    Properties:
      BucketName: !Ref BucketName
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      BucketEncryption: 
        ServerSideEncryptionConfiguration: 
        - !If
          - AES256
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: !Ref SSEAlgorithm
            BucketKeyEnabled: true
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: !Ref SSEAlgorithm
              KMSMasterKeyID: !Ref KMSKeyArn
            BucketKeyEnabled: true

I hope this to be helpful.

AWS
Daein_C
answered a year ago
0

The working code:

# version: 1.0
AWSTemplateFormatVersion: "2010-09-09"
Description: Create standardized S3 bucket using CloudFormation Template

Parameters:
  BucketName:
    Type: String
    Description: "Name of the S3 bucket"
  KMSKeyArn:
    Type: String
    Description: "KMS Key Arn to encrypt S3 bucket"
    Default: ""
  SSEAlgorithm:
    Type: String
    Description: "Encryption algorithm for KMS"
    AllowedValues:
      - aws:kms
      - AES256

Conditions:
  AES256: !Equals [!Ref SSEAlgorithm, "AES256"]

Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket'
    DeletionPolicy: Retain
    UpdateReplacePolicy: Retain
    Properties:
      BucketName: !Ref BucketName
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      BucketEncryption: 
        ServerSideEncryptionConfiguration: 
        - !If
          - AES256
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: !Ref SSEAlgorithm
            BucketKeyEnabled: true
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: !Ref SSEAlgorithm
              KMSMasterKeyID: !Ref KMSKeyArn
            BucketKeyEnabled: true

profile picture
answered a year ago
profile picture
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions