AWS CloudFormation - creating a secure s3 bucket

Chandrasekar(Chan) RajaramChandrasekar(Chan) Rajaram
2 min read

Table of contents

Introduction

In the realm of cloud computing, secure and efficient data storage is paramount. AWS's Simple Storage Service (S3) offers a robust solution, but it requires careful configuration to ensure security and compliance. This blog post walks you through setting up a secure S3 bucket using AWS CloudFormation, including KMS encryption and a policy to enforce HTTPS-only access.

Complete CloudFormation Script

Before diving into the details, here's the entire CloudFormation script that we will be dissecting:

AWSTemplateFormatVersion: '2010-09-09'

Resources:

  # KMS Key for S3 bucket encryption
  MyKMSKey:
    Type: 'AWS::KMS::Key'
    Properties:
      Description: 'KMS Key for S3 bucket encryption'
      KeyPolicy:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
            Action: 'kms:*'
            Resource: '*'

  # S3 Bucket with server-side encryption using the above KMS key
  MyS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Sub 'my-cloudformation-bucket-${AWS::AccountId}-${AWS::Region}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: aws:kms
              KMSMasterKeyID: !Ref MyKMSKey

  # Bucket Policy to deny HTTP requests and enforce HTTPS
  BucketPolicy:
    Type: 'AWS::S3::BucketPolicy'
    Properties:
      Bucket: !Ref MyS3Bucket
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Deny
            Principal: '*'
            Action: 's3:*'
            Resource: 
              - !Sub 'arn:aws:s3:::${MyS3Bucket}/*'
              - !Sub 'arn:aws:s3:::${MyS3Bucket}'
            Condition:
              Bool:
                'aws:SecureTransport': 'false'

Step-by-Step Explanation

  1. Template Version Declaration

    • Specifies the CloudFormation template's format version, ensuring compatibility with AWS.

  2. Resource Section

    • This section declares the AWS resources that will be created or configured.

  3. KMS Key Creation

    • A KMS (Key Management Service) key (MyKMSKey) is defined for encrypting the S3 bucket's contents.

  4. S3 Bucket Configuration

    • An S3 bucket (MyS3Bucket) is defined, with a unique name that includes the account ID and region. It's configured to use server-side encryption with the KMS key.

  5. Bucket Policy for HTTPS Enforcement

    • A bucket policy (BucketPolicy) is attached to the S3 bucket. This policy denies all requests that aren't made over HTTPS, effectively preventing HTTP access.

Deploying the Template

To deploy this configuration:

  1. Save the above script as a .yaml file.

  2. Use it to create a new stack in AWS CloudFormation.

Conclusion

Using CloudFormation to configure an S3 bucket ensures that your storage is not only efficient but also secure. The integration of KMS encryption and a strict HTTPS-only policy safeguards your data both at rest and in transit. This approach of infrastructure as code promotes best practices in security and enables easier management and scalability of cloud resources. With CloudFormation, complex configurations become manageable, paving the way for robust and secure cloud infrastructure.

1
Subscribe to my newsletter

Read articles from Chandrasekar(Chan) Rajaram directly inside your inbox. Subscribe to the newsletter, and don't miss out.

cloudformationS3-bucketKMSSecurity

Written by

Chandrasekar(Chan) Rajaram
Chandrasekar(Chan) Rajaram