Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

S3 bucket creation with encryption is failing because of AWSSamples::S3BucketEncrypt::Hook

0

Hi,

I have activated AWSSamples::S3BucketEncrypt::Hook with the following configuration but S3 bucket creation with encryption enabled seems to be failing because of the hook. It works when I disable the hook. Could this be an issue?

{
  "CloudFormationConfiguration": {
    "HookConfiguration": {
      "TargetStacks": "ALL",
      "FailureMode": "FAIL",
      "Properties": {
        "minBuckets": "1",
        "encryptionAlgorithm": "AES256"
      }
    }
  }
}

{
  "CloudFormationConfiguration": {
    "HookConfiguration": {
      "TargetStacks": "ALL",
      "FailureMode": "FAIL",
      "Properties": {
        "minBuckets": "1",
        "encryptionAlgorithm": "aws:kms"
      }
    }
  }
}

AWSSamples::S3BucketEncrypt::Hook configuration

AWSSamples::S3BucketEncrypt::Hook

CloudFormation for S3 bucket with AES256 encryption - Expected to Pass

AWSTemplateFormatVersion: 2010-09-09
Description: S3 bucket with default encryption
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'AES256'
    DeletionPolicy: Delete

CloudFormation for S3 bucket with KMS encryption - Expected to Pass

AWSTemplateFormatVersion: "2010-09-09"
Description: This CloudFormation template provisions an encrypted S3 Bucket
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'aws:kms'
              KMSMasterKeyID: !Ref EncryptionKey
            BucketKeyEnabled: true
      Tags: 
        - Key: "keyname1"
          Value: "value1"

  EncryptionKey:  
    Type: AWS::KMS::Key
    Properties:
     Description: KMS key used to encrypt the resource type artifacts
     EnableKeyRotation: true
     KeyPolicy:
      Version: "2012-10-17"
      Statement:
      - Sid: Enable full access for owning account
        Effect: Allow
        Principal: 
          AWS: !Ref "AWS::AccountId"
        Action: kms:*
        Resource: "*"

Outputs:
  EncryptedBucketName:
    Value: !Ref EncryptedS3Bucket
Themen
SpeicherSicherheit, Identität & KonformitätManagement & Unternehmensführung
Tags
Amazon Simple Storage ServiceAWS-SchlüsselverwaltungsserviceAWS BefehlszeilenschnittstelleAWS CloudFormationVerschlüsselung
Sprache
English
profile picture
Sri
gefragt vor 2 Jahren252 Aufrufe
1 Antwort
0
Akzeptierte Antwort

There were multiple issues when I attempted this. Here are the list of things to do in order to resolve.

  1. The role need to be created using https://github.com/aws-cloudformation/aws-cloudformation-samples/blob/main/hooks/python-hooks/s3-bucket-encryption/hook-role.yaml
  2. CF Hook Configuration need to be the following
  3. KMS
{
  "CloudFormationConfiguration": {
    "HookConfiguration": {
      "TargetStacks": "ALL",
      "FailureMode": "FAIL",
      "Properties": {
        "minBuckets": "1",
        "encryptionAlgorithm": "aws:kms"
      }
    }
  }
}

3.1 Use the following CF to create SSE-S3 bucket for point no 3

AWSTemplateFormatVersion: "2010-09-09"
Description: This CloudFormation template provisions an encrypted S3 Bucket
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'aws:kms'
              KMSMasterKeyID: !Ref EncryptionKey
            BucketKeyEnabled: true
      Tags: 
        - Key: "keyname1"
          Value: "value1"

  EncryptionKey:  
    Type: AWS::KMS::Key
    Properties:
     Description: KMS key used to encrypt the resource type artifacts
     EnableKeyRotation: true
     KeyPolicy:
      Version: "2012-10-17"
      Statement:
      - Sid: Enable full access for owning account
        Effect: Allow
        Principal: 
          AWS: !Ref "AWS::AccountId"
        Action: kms:*
        Resource: "*"

Outputs:
  EncryptedBucketName:
    Value: !Ref EncryptedS3Bucket

OR

  1. SSE-S3
AWSTemplateFormatVersion: 2010-09-09
Description: S3 bucket with default encryption
Resources:
 EncryptedS3Bucket:
   Type: 'AWS::S3::Bucket'
   Properties:
     BucketName: !Sub 'aesencryptedbucket-${AWS::Region}-${AWS::AccountId}'
     BucketEncryption:
       ServerSideEncryptionConfiguration:
         - ServerSideEncryptionByDefault:
             SSEAlgorithm: AES256
   DeletionPolicy: Delete

4.1 Use the following CF to create SSE-S3 bucket for point no 4

AWSTemplateFormatVersion: "2010-09-09"
Description: This CloudFormation template provisions an encrypted S3 Bucket
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'AES256'
            BucketKeyEnabled: true
      Tags: 
        - Key: "keyname1"
          Value: "value1"
profile picture
Sri
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt