Skip to content

Instantly share code, notes, and snippets.

@lhilton

lhilton/Create encrypted s3 bucket.md

Last active June 10, 2019 20:55
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save lhilton/f69175f2b0f3dd1396a4c4f63ba650fc to your computer and use it in GitHub Desktop.
Save lhilton/f69175f2b0f3dd1396a4c4f63ba650fc to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Create encrypted s3 bucket.md

Create the bucket:

aws s3api create-bucket \
    --region us-east-2 \
    --acl private \
    --bucket foo.bar.mar.test \
    --create-bucket-configuration LocationConstraint=us-east-2 \
    --profile configured_aws_profile_or_remove_for_default

Set the encryption

aws s3api put-bucket-encryption \
    --bucket foo.bar.mar.test \
    --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}' \
    --profile configured_aws_profile_or_remove_for_default

Apply a permission that locks down the bucket

aws s3api put-bucket-policy \
    --bucket foo.bar.mar.test \
    --policy file://policy.json \
    --profile configured_aws_profile_or_remove_for_default

Deny public access

aws s3api put-public-access-block \
    --bucket foo.bar.mar.test \
    --public-access-block-configuration '{ "BlockPublicAcls": true, "IgnorePublicAcls": true, "BlockPublicPolicy": true, "RestrictPublicBuckets": true }' \
    --profile configured_aws_profile_or_remove_for_default

policy.json file contents (update with appropriate user ARN):

{
   "Statement": [
      {
         "Effect": "Allow",
         "Principal": {
            "AWS": "arn:aws:iam::123456789012:user/some-user"
         },
         "Action": [
            "s3:GetObject",
            "s3:DeleteObject",
            "s3:PutObject"
         ],
         "Resource": "arn:aws:s3:::foo.bar.mar.test/*"
      }
   ]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment