Enable Encryption and SecureTransport on S3 buckets by default

Question

Enable Encryption and SecureTransport on S3 buckets by default

bmonkman opened this issue 4 years ago · comments

Bill Monkman commented 4 years ago

S3 buckets for assets and Terraform state should have encryption enabled by default through the aws provider resource:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
And though we don't really access buckets directly we should restrict traffic to HTTPS as well.
For this we can add aws:SecureTransport to the bucket policy: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_Boolean

Steven Shi · Answer 1 · Wed Oct 07 2020 06:33:10 GMT+0800 (China Standard Time)

List of resource o f"aws_s3_bucket":

modules/s3_hosting/main.tf:r esource "aws_s3_bucket" "client_assets"
modules/cloudtrail/main.tf: resource "aws_s3_bucket" "cloudtrail"
bootstrap/remote-state/main.tf: resource "aws_s3_bucket" "terraform_remote_state"

Steven Shi · Answer 2 · Sat Oct 10 2020 02:23:45 GMT+0800 (China Standard Time)

By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable, you can instead use server-side encryption with AWS KMS–managed keys (SSE-KMS) for your CloudTrail log files.

After certain experimental and discussions, we decided to use default SSE-S3 rather than SSE-KMS (which introduces extra maintenance cost for startups).