由于 AWSSamples::S3BucketEncrypt::Hook，使用加密创建 S3 存储桶失败

发布于 2025-01-11 07:48:48 字数 2467 浏览 0 评论 0原文

我已使用以下配置激活 AWSSamples::S3BucketEncrypt::Hook，但由于该挂钩，启用加密的 S3 存储桶创建似乎失败。

{
  "CloudFormationConfiguration": {
    "HookConfiguration": {
      "TargetStacks": "ALL",
      "FailureMode": "FAIL",
      "Properties": {
        "minBuckets": "1",
        "encryptionAlgorithm": "AES256"
      }
    }
  }
}

{
  "CloudFormationConfiguration": {
    "HookConfiguration": {
      "TargetStacks": "ALL",
      "FailureMode": "FAIL",
      "Properties": {
        "minBuckets": "1",
        "encryptionAlgorithm": "aws:kms"
      }
    }
  }
}

以下 CloudFormation 堆栈应该可以通过，但它们失败了。它们似乎只有在我禁用钩子时才起作用。我检查了信任策略，这对于 CloudFormation 访问钩子和 S3 存储桶来说似乎没问题。

AWSTemplateFormatVersion: 2010-09-09
Description: S3 bucket with default encryption
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'AES256'
    DeletionPolicy: Delete

AWSTemplateFormatVersion: "2010-09-09"
Description: This CloudFormation template provisions an encrypted S3 Bucket
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'aws:kms'
              KMSMasterKeyID: !Ref EncryptionKey
            BucketKeyEnabled: true
      Tags: 
        - Key: "keyname1"
          Value: "value1"

  EncryptionKey:  
    Type: AWS::KMS::Key
    Properties:
     Description: KMS key used to encrypt the resource type artifacts
     EnableKeyRotation: true
     KeyPolicy:
      Version: "2012-10-17"
      Statement:
      - Sid: Enable full access for owning account
        Effect: Allow
        Principal: 
          AWS: !Ref "AWS::AccountId"
        Action: kms:*
        Resource: "*"

Outputs:
  EncryptedBucketName:
    Value: !Ref EncryptedS3Bucket

原文

I have activated AWSSamples::S3BucketEncrypt::Hook with the following configuration but S3 bucket creation with encryption enabled seems to be failing because of the hook.

{
  "CloudFormationConfiguration": {
    "HookConfiguration": {
      "TargetStacks": "ALL",
      "FailureMode": "FAIL",
      "Properties": {
        "minBuckets": "1",
        "encryptionAlgorithm": "AES256"
      }
    }
  }
}

{
  "CloudFormationConfiguration": {
    "HookConfiguration": {
      "TargetStacks": "ALL",
      "FailureMode": "FAIL",
      "Properties": {
        "minBuckets": "1",
        "encryptionAlgorithm": "aws:kms"
      }
    }
  }
}

The following CloudFormation stacks are supposed to pass but they are failing. They only seem to work when I disable the hook. I have checked the trust policy, which seems fine for CloudFormation to access the hook and S3 bucket.

AWSTemplateFormatVersion: 2010-09-09
Description: S3 bucket with default encryption
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'AES256'
    DeletionPolicy: Delete

AWSTemplateFormatVersion: "2010-09-09"
Description: This CloudFormation template provisions an encrypted S3 Bucket
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'aws:kms'
              KMSMasterKeyID: !Ref EncryptionKey
            BucketKeyEnabled: true
      Tags: 
        - Key: "keyname1"
          Value: "value1"

  EncryptionKey:  
    Type: AWS::KMS::Key
    Properties:
     Description: KMS key used to encrypt the resource type artifacts
     EnableKeyRotation: true
     KeyPolicy:
      Version: "2012-10-17"
      Statement:
      - Sid: Enable full access for owning account
        Effect: Allow
        Principal: 
          AWS: !Ref "AWS::AccountId"
        Action: kms:*
        Resource: "*"

Outputs:
  EncryptedBucketName:
    Value: !Ref EncryptedS3Bucket

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

家住魔仙堡 2025-01-18 07:48:48

存在多个问题

需要使用 https://github.com/aws-cloudformation/aws-cloudformation-samples/blob/main/hooks/python-hooks/s3-bucket-encryption/hook-role.yaml
CF Hook配置需要为以下
KMS

{
  "CloudFormationConfiguration": {
    "HookConfiguration": {
      "TargetStacks": "ALL",
      "FailureMode": "FAIL",
      "Properties": {
        "minBuckets": "1",
        "encryptionAlgorithm": "aws:kms"
      }
    }
  }
}

3.1 使用以下 CF 为点 3 创建 SSE-S3 存储桶

AWSTemplateFormatVersion: "2010-09-09"
Description: This CloudFormation template provisions an encrypted S3 Bucket
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'aws:kms'
              KMSMasterKeyID: !Ref EncryptionKey
            BucketKeyEnabled: true
      Tags: 
        - Key: "keyname1"
          Value: "value1"

  EncryptionKey:  
    Type: AWS::KMS::Key
    Properties:
     Description: KMS key used to encrypt the resource type artifacts
     EnableKeyRotation: true
     KeyPolicy:
      Version: "2012-10-17"
      Statement:
      - Sid: Enable full access for owning account
        Effect: Allow
        Principal: 
          AWS: !Ref "AWS::AccountId"
        Action: kms:*
        Resource: "*"

Outputs:
  EncryptedBucketName:
    Value: !Ref EncryptedS3Bucket

SSE-S3

AWSTemplateFormatVersion: 2010-09-09
Description: S3 bucket with default encryption
Resources:
 EncryptedS3Bucket:
   Type: 'AWS::S3::Bucket'
   Properties:
     BucketName: !Sub 'aesencryptedbucket-${AWS::Region}-${AWS::AccountId}'
     BucketEncryption:
       ServerSideEncryptionConfiguration:
         - ServerSideEncryptionByDefault:
             SSEAlgorithm: AES256
   DeletionPolicy: Delete

4.1 使用以下 CF 为点创建 SSE-S3 存储桶4号

AWSTemplateFormatVersion: "2010-09-09"
Description: This CloudFormation template provisions an encrypted S3 Bucket
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'AES256'
            BucketKeyEnabled: true
      Tags: 
        - Key: "keyname1"
          Value: "value1"

There were multiple issues

The role need to be created using https://github.com/aws-cloudformation/aws-cloudformation-samples/blob/main/hooks/python-hooks/s3-bucket-encryption/hook-role.yaml
CF Hook Configuration need to be the following
KMS

{
  "CloudFormationConfiguration": {
    "HookConfiguration": {
      "TargetStacks": "ALL",
      "FailureMode": "FAIL",
      "Properties": {
        "minBuckets": "1",
        "encryptionAlgorithm": "aws:kms"
      }
    }
  }
}

3.1 Use the following CF to create SSE-S3 bucket for point no 3

AWSTemplateFormatVersion: "2010-09-09"
Description: This CloudFormation template provisions an encrypted S3 Bucket
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'aws:kms'
              KMSMasterKeyID: !Ref EncryptionKey
            BucketKeyEnabled: true
      Tags: 
        - Key: "keyname1"
          Value: "value1"

  EncryptionKey:  
    Type: AWS::KMS::Key
    Properties:
     Description: KMS key used to encrypt the resource type artifacts
     EnableKeyRotation: true
     KeyPolicy:
      Version: "2012-10-17"
      Statement:
      - Sid: Enable full access for owning account
        Effect: Allow
        Principal: 
          AWS: !Ref "AWS::AccountId"
        Action: kms:*
        Resource: "*"

Outputs:
  EncryptedBucketName:
    Value: !Ref EncryptedS3Bucket

SSE-S3

AWSTemplateFormatVersion: 2010-09-09
Description: S3 bucket with default encryption
Resources:
 EncryptedS3Bucket:
   Type: 'AWS::S3::Bucket'
   Properties:
     BucketName: !Sub 'aesencryptedbucket-${AWS::Region}-${AWS::AccountId}'
     BucketEncryption:
       ServerSideEncryptionConfiguration:
         - ServerSideEncryptionByDefault:
             SSEAlgorithm: AES256
   DeletionPolicy: Delete

4.1 Use the following CF to create SSE-S3 bucket for point no 4

AWSTemplateFormatVersion: "2010-09-09"
Description: This CloudFormation template provisions an encrypted S3 Bucket
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'AES256'
            BucketKeyEnabled: true
      Tags: 
        - Key: "keyname1"
          Value: "value1"

回复收藏 0 原文

潦草背影 2025-01-18 07:48:48

具有基于条件的加密的 S3 存储桶的 CloudFormation 模板是：

# version: 1.0
AWSTemplateFormatVersion: "2010-09-09"
Description: Create standardized S3 bucket using CloudFormation Template

Parameters:
  BucketName:
    Type: String
    Description: "Name of the S3 bucket"
  KMSKeyArn:
    Type: String
    Description: "KMS Key Arn to encrypt S3 bucket"
    Default: ""
  SSEAlgorithm:
    Type: String
    Description: "Encryption algorithm for KMS"
    AllowedValues:
      - aws:kms
      - AES256

Conditions:
  AES256: !Equals [!Ref SSEAlgorithm, "AES256"]

Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket'
    DeletionPolicy: Retain
    UpdateReplacePolicy: Retain
    Properties:
      BucketName: !Ref BucketName
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      BucketEncryption: 
        ServerSideEncryptionConfiguration: 
        - !If
          - AES256
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: !Ref SSEAlgorithm
            BucketKeyEnabled: true
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: !Ref SSEAlgorithm
              KMSMasterKeyID: !Ref KMSKeyArn
            BucketKeyEnabled: true

使用上面的代码，您可以使用客户管理的 KMS 密钥或 AWS 托管密钥，具体取决于其使用情况，而不会导致堆栈漂移。属性 KMSMasterKeyID 不适用于 AWS 托管加密 (SSE-S3)。

CloudFormation template for S3 bucket with condition based encryption is:

# version: 1.0
AWSTemplateFormatVersion: "2010-09-09"
Description: Create standardized S3 bucket using CloudFormation Template

Parameters:
  BucketName:
    Type: String
    Description: "Name of the S3 bucket"
  KMSKeyArn:
    Type: String
    Description: "KMS Key Arn to encrypt S3 bucket"
    Default: ""
  SSEAlgorithm:
    Type: String
    Description: "Encryption algorithm for KMS"
    AllowedValues:
      - aws:kms
      - AES256

Conditions:
  AES256: !Equals [!Ref SSEAlgorithm, "AES256"]

Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket'
    DeletionPolicy: Retain
    UpdateReplacePolicy: Retain
    Properties:
      BucketName: !Ref BucketName
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      BucketEncryption: 
        ServerSideEncryptionConfiguration: 
        - !If
          - AES256
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: !Ref SSEAlgorithm
            BucketKeyEnabled: true
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: !Ref SSEAlgorithm
              KMSMasterKeyID: !Ref KMSKeyArn
            BucketKeyEnabled: true

Using the code above you can either use Customer managed KMS key or AWS Managed key depending on it's use without drifting the stack. The property KMSMasterKeyID is not available for AWS managed encryption (SSE-S3).

回复收藏 0 原文

~没有更多了~