Create the bucket:
aws s3api create-bucket \
--region us-east-2 \
--acl private \
--bucket foo.bar.mar.test \
--create-bucket-configuration LocationConstraint=us-east-2 \
--profile configured_aws_profile_or_remove_for_default
Set the encryption
aws s3api put-bucket-encryption \
--bucket foo.bar.mar.test \
--server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}' \
--profile configured_aws_profile_or_remove_for_default
Apply a permission that locks down the bucket
aws s3api put-bucket-policy \
--bucket foo.bar.mar.test \
--policy file://policy.json \
--profile configured_aws_profile_or_remove_for_default
Deny public access
aws s3api put-public-access-block \
--bucket foo.bar.mar.test \
--public-access-block-configuration '{ "BlockPublicAcls": true, "IgnorePublicAcls": true, "BlockPublicPolicy": true, "RestrictPublicBuckets": true }' \
--profile configured_aws_profile_or_remove_for_default
policy.json
file contents (update with appropriate user ARN):
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/some-user"
},
"Action": [
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::foo.bar.mar.test/*"
}
]
}