由于AWSSamples::S3BucketEncrypt::Hook导致的加密S3存储桶创建失败
0
【以下的问题经过翻译处理】 我已使用以下配置激活了AWSSamples::S3BucketEncrypt::Hook,但启用加密的S3存储桶的创建似乎因为该Hook而失败。当我禁用该Hook时,它可以正常工作。问题在哪里呢?
{
"CloudFormationConfiguration": {
"HookConfiguration": {
"TargetStacks": "ALL",
"FailureMode": "FAIL",
"Properties": {
"minBuckets": "1",
"encryptionAlgorithm": "AES256"
}
}
}
}
{
"CloudFormationConfiguration": {
"HookConfiguration": {
"TargetStacks": "ALL",
"FailureMode": "FAIL",
"Properties": {
"minBuckets": "1",
"encryptionAlgorithm": "aws:kms"
}
}
}
}
AWSSamples::S3BucketEncrypt::Hook配置
AWSSamples::S3BucketEncrypt::Hook
使用AES256加密的S3存储桶的CloudFormation - 预期应该可以通过
AWSTemplateFormatVersion: 2010-09-09
Description: S3 bucket with default encryption
Resources:
EncryptedS3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: 'AES256'
DeletionPolicy: Delete
使用KMS加密的S3存储桶的CloudFormation - 预期应该可以通过
AWSTemplateFormatVersion: 2010-09-09
Description: S3 bucket with default encryption
Resources:
EncryptedS3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: 'AES256'
DeletionPolicy: Delete
1 回答
- 最新
- 投票最多
- 评论最多
0
【以下的回答经过翻译处理】 我在尝试时遇到了多个问题。为了解决这些问题,下面是需要执行的步骤列表。
- 需要使用https://github.com/aws-cloudformation/aws-cloudformation-samples/blob/main/hooks/python-hooks/s3-bucket-encryption/hook-role.yaml创建角色。
- CF Hook配置需要如下所示:
- KMS
{
"CloudFormationConfiguration": {
"HookConfiguration": {
"TargetStacks": "ALL",
"FailureMode": "FAIL",
"Properties": {
"minBuckets": "1",
"encryptionAlgorithm": "aws:kms"
}
}
}
}
3.1 使用以下CF创建SSE-S3存储桶以完成第3点。
AWSTemplateFormatVersion: "2010-09-09"
Description: This CloudFormation template provisions an encrypted S3 Bucket
Resources:
EncryptedS3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: 'aws:kms'
KMSMasterKeyID: !Ref EncryptionKey
BucketKeyEnabled: true
Tags:
- Key: "keyname1"
Value: "value1"
EncryptionKey:
Type: AWS::KMS::Key
Properties:
Description: KMS key used to encrypt the resource type artifacts
EnableKeyRotation: true
KeyPolicy:
Version: "2012-10-17"
Statement:
- Sid: Enable full access for owning account
Effect: Allow
Principal:
AWS: !Ref "AWS::AccountId"
Action: kms:*
Resource: "*"
Outputs:
EncryptedBucketName:
Value: !Ref EncryptedS3Bucket
或者
- SSE-S3
AWSTemplateFormatVersion: 2010-09-09
Description: S3 bucket with default encryption
Resources:
EncryptedS3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: !Sub 'aesencryptedbucket-${AWS::Region}-${AWS::AccountId}'
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
DeletionPolicy: Delete
4.1 使用以下CF创建SSE-S3存储桶以完成第4点。
AWSTemplateFormatVersion: "2010-09-09"
Description: This CloudFormation template provisions an encrypted S3 Bucket
Resources:
EncryptedS3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: 'AES256'
BucketKeyEnabled: true
Tags:
- Key: "keyname1"
Value: "value1"