Improve SSE by specifying only one KMS key allowed
remiflament opened this issue · comments
Context
In the last version 3.13.0 we had the possibility to enforce SSE(s3|kms) on the bucket uploads. #238 #233
This is a great feature, and we can go further, as the doc mentioned, by specifying only one key authorized to encrypt objects.
Problem
We enforced SSE:KMS to encrypt objects. But we allow multiples keys used to do the encryption... It can be a problem when we want to perform large backup or decryption automation in a business.
Describe the solution you'd like.
We specify a specific KMS key arn in the IAM Policy
data "aws_iam_policy_document" "s3_put_kms_only" {
statement {
sid = "RequireKMSEncryption"
effect = "Deny"
actions = ["s3:PutObject"]
resources = ["${module.bucket.s3_bucket_arn}/*"]
condition {
test = "StringNotEquals"
variable = "s3:x-amz-server-side-encryption"
values = ["aws:kms"]
}
principals {
type = "*"
identifiers = ["*"]
}
}
statement {
sid = "RequireKMSEncryptionKeyID"
effect = "Deny"
actions = ["s3:PutObject"]
resources = ["${module.bucket.s3_bucket_arn}/*"]
condition {
test = "StringNotEquals"
variable = "s3:x-amz-server-side-encryption-aws-kms-key-id"
values = ["${module.kms.key_arn}"]
}
principals {
type = "*"
identifiers = ["*"]
}
}
}
I think I can propose the PR.
Please tell me if this enhancement makes sense to you.
I think PR would be useful for such improvement.