Amazon S3 supports bucket policy that you can use if you require server-side encryption for all objects that are stored in your bucket. For example, the following bucket policy denies upload object (s3:PutObject) permission to everyone if the request does not include the x-amz-server-side-encryption header requesting server-side encryption with SSE-KMS.
{ "Version":"2012-10-17", "Id":"PutObjPolicy", "Statement":[{ "Sid":"DenyUnEncryptedObjectUploads", "Effect":"Deny", "Principal":"*", "Action":"s3:PutObject", "Resource":"arn:aws:s3:::YourBucket/*", "Condition":{ "StringNotEquals":{ "s3:x-amz-server-side-encryption":"aws:kms" } } } ] }
To add a server-side kms encryotion to your object, you can use "aws s3api". Here is an example:
aws s3api put-object --bucket your-s3-bucket --key path_in_s3 --body local_path --server-side-encryption "aws:kms" --ssekms-key-id your_kms_key_id path_in_s3: where you store you object in s3 (not include bucket name), for example: backup/file1.text local_path: Local file path your_kms_key_id: You can get it from "Encrypted keys" from AWS console.
No comments:
Post a Comment