Introduction
In the realm of cloud computing, secure and efficient data storage is paramount. AWS's Simple Storage Service (S3) offers a robust solution, but it requires careful configuration to ensure security and compliance. This blog post walks you through setting up a secure S3 bucket using AWS CloudFormation, including KMS encryption and a policy to enforce HTTPS-only access.
Complete CloudFormation Script
Before diving into the details, here's the entire CloudFormation script that we will be dissecting:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
# KMS Key for S3 bucket encryption
MyKMSKey:
Type: 'AWS::KMS::Key'
Properties:
Description: 'KMS Key for S3 bucket encryption'
KeyPolicy:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
Action: 'kms:*'
Resource: '*'
# S3 Bucket with server-side encryption using the above KMS key
MyS3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: !Sub 'my-cloudformation-bucket-${AWS::AccountId}-${AWS::Region}'
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: aws:kms
KMSMasterKeyID: !Ref MyKMSKey
# Bucket Policy to deny HTTP requests and enforce HTTPS
BucketPolicy:
Type: 'AWS::S3::BucketPolicy'
Properties:
Bucket: !Ref MyS3Bucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Deny
Principal: '*'
Action: 's3:*'
Resource:
- !Sub 'arn:aws:s3:::${MyS3Bucket}/*'
- !Sub 'arn:aws:s3:::${MyS3Bucket}'
Condition:
Bool:
'aws:SecureTransport': 'false'
Step-by-Step Explanation
Template Version Declaration
- Specifies the CloudFormation template's format version, ensuring compatibility with AWS.
Resource Section
- This section declares the AWS resources that will be created or configured.
KMS Key Creation
- A KMS (Key Management Service) key (
MyKMSKey
) is defined for encrypting the S3 bucket's contents.
- A KMS (Key Management Service) key (
S3 Bucket Configuration
- An S3 bucket (
MyS3Bucket
) is defined, with a unique name that includes the account ID and region. It's configured to use server-side encryption with the KMS key.
- An S3 bucket (
Bucket Policy for HTTPS Enforcement
- A bucket policy (
BucketPolicy
) is attached to the S3 bucket. This policy denies all requests that aren't made over HTTPS, effectively preventing HTTP access.
- A bucket policy (
Deploying the Template
To deploy this configuration:
Save the above script as a
.yaml
file.Use it to create a new stack in AWS CloudFormation.
Conclusion
Using CloudFormation to configure an S3 bucket ensures that your storage is not only efficient but also secure. The integration of KMS encryption and a strict HTTPS-only policy safeguards your data both at rest and in transit. This approach of infrastructure as code promotes best practices in security and enables easier management and scalability of cloud resources. With CloudFormation, complex configurations become manageable, paving the way for robust and secure cloud infrastructure.