CloudFormation template for setting default encryption for S3

Question

CloudFormation template for setting default encryption for S3

S3 now supports encryption, which will be applied by default when individual PUT requests of an object do not contain a specific encryption header.

How can this be configured as part of creating a bucket during the CloudFormation template? I found an API call for this, but it would be great if it could be provided as an attribute in CloudFormation, rather than a separate step.

So far, the only parameters that I see are

make a separate API / client call after creating the bucket
use the older bucket policy method to reject unencrypted requests that can be provided through the CloudFormation S3::BucketPolicyresource

+6

amazon-s3 amazon-web-services amazon-cloudformation

wrschneider Nov 09 '17 at 17:29

source share

2 answers

jarmod is right, Cloudformation usually lags behind in implementing new features.

At the same time, you can use the lambda function in response to the event CreateBucketfor put_bucket_encryption (boto3) on the bucket.

This will use the first option you proposed, but you will not need to forget to make a separate api call.

+1

tkwargs Nov 09 '17 at 19:58

source share

iv597 · Accepted Answer · 2018-01-25T00:09:48+0000

For some time, apparently, between last Friday and today, they finally added the property BucketEncryptionto S3 buckets in CloudFormation, which allows you to enable this encryption by default.

CloudFormation template for setting default encryption for S3

More articles: