Improve SSE by specifying only one KMS key allowed

Question

Improve SSE by specifying only one KMS key allowed

remiflament opened this issue a year ago · comments

Context

In the last version 3.13.0 we had the possibility to enforce SSE(s3|kms) on the bucket uploads. #238 #233

This is a great feature, and we can go further, as the doc mentioned, by specifying only one key authorized to encrypt objects.

Problem

We enforced SSE:KMS to encrypt objects. But we allow multiples keys used to do the encryption... It can be a problem when we want to perform large backup or decryption automation in a business.

Describe the solution you'd like.

We specify a specific KMS key arn in the IAM Policy

data "aws_iam_policy_document" "s3_put_kms_only" {
  statement {
    sid       = "RequireKMSEncryption"
    effect    = "Deny"
    actions   = ["s3:PutObject"]
    resources = ["${module.bucket.s3_bucket_arn}/*"]
    condition {
      test     = "StringNotEquals"
      variable = "s3:x-amz-server-side-encryption"
      values   = ["aws:kms"]
    }
    principals {
      type        = "*"
      identifiers = ["*"]
    }
  }

  statement {
    sid       = "RequireKMSEncryptionKeyID"
    effect    = "Deny"
    actions   = ["s3:PutObject"]
    resources = ["${module.bucket.s3_bucket_arn}/*"]
    condition {
      test     = "StringNotEquals"
      variable = "s3:x-amz-server-side-encryption-aws-kms-key-id"
      values   = ["${module.kms.key_arn}"]
    }
    principals {
      type        = "*"
      identifiers = ["*"]
    }
  }
}

I think I can propose the PR.
Please tell me if this enhancement makes sense to you.

Anton Babenko · Answer 1 · Mon Jun 12 2023 17:03:22 GMT+0800 (China Standard Time)

I think PR would be useful for such improvement.