You can also use the option ForceEncryption:
AWSTemplateFormatVersion: '2010-09-09'
Description: Amazon S3 Bucket with
Resources:
CodeFlexS3Bucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: Private
BucketName: !Join ["-", ["codeflex-example", Ref: "AWS::Region"]]
ForceEncryption:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref CodeFlexS3Bucket
PolicyDocument:
Version: "2008-10-17"
Statement:
- Sid: DenyUnEncryptedObjectUploads
Effect: Deny
Principal: "*"
Action:
- s3:PutObject
Resource:
- !Join ["", ["arn:aws:s3:::", !Ref CodeFlexS3Bucket, "/*"]]
Condition:
StringNotEquals:
"s3:x-amz-server-side-encryption":
- "aws:kms"
DependsOn: CodeFlexS3Bucket
: S3 Bucket KMS CloudFormation