Skip to content

Instantly share code, notes, and snippets.

@dpup

dpup/encrypted-bucket.tf

Last active August 23, 2018 23:22
Show Gist options
  • Save dpup/7efaee649c0c2dc2087fa63f42a64d88 to your computer and use it in GitHub Desktop.
Save dpup/7efaee649c0c2dc2087fa63f42a64d88 to your computer and use it in GitHub Desktop.
Download ZIP
S3 Server-Side Encryption using KMS
Raw
encrypted-bucket.tf
# When specifying a named KMS Key for the S3 bucket, the default policy that
# terraform applies causes Access Denied errors for PutObject. This policy
# allows access to users with access to S3.
resource "aws_kms_key" "uploads" {
description = "Encrypts uploads stored in S3"
deletion_window_in_days = 10
policy = "${data.aws_iam_policy_document.uploads_key_policy.json}"
}
data "aws_iam_policy_document" "uploads_key_policy" {
statement {
sid = "Enable IAM User Permissions",
effect = "Allow",
principals = [{
type = "AWS"
identifiers = [
"arn:aws:iam::${var.account_id}:root",
]
}]
actions = ["kms:*"]
resources = ["*"]
}
statement {
sid = "S3 Users"
effect = "Allow"
principals = [{
type = "AWS"
identifiers = ["*"]
}]
actions = [
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
]
resources = ["*"]
condition {
test = "StringEquals"
variable = "kms:ViaService"
values = ["s3.us-east-1.amazonaws.com"]
}
condition {
test = "StringEquals"
variable = "kms:CallerAccount"
values = ["${var.account_id}"]
}
}
}
resource "aws_kms_alias" "uploads" {
name = "alias/s3-uploads"
target_key_id = "${aws_kms_key.uploads.key_id}"
}
resource "aws_s3_bucket" "uploads" {
bucket = "our-awesome-uploads"
acl = "private"
versioning {
enabled = true
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = "${aws_kms_key.uploads.arn}"
sse_algorithm = "aws:kms"
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment