amazon-web-services - 由于 AWSSamples::S3BucketEncrypt::Hook,使用加密创建 S3 存储桶失败

标签 amazon-web-services amazon-s3 aws-cloudformation hook

我已使用以下配置激活 AWSSamples::S3BucketEncrypt::Hook,但由于该 Hook ,启用加密的 S3 存储桶创建似乎失败。

{
  "CloudFormationConfiguration": {
    "HookConfiguration": {
      "TargetStacks": "ALL",
      "FailureMode": "FAIL",
      "Properties": {
        "minBuckets": "1",
        "encryptionAlgorithm": "AES256"
      }
    }
  }
}

{
  "CloudFormationConfiguration": {
    "HookConfiguration": {
      "TargetStacks": "ALL",
      "FailureMode": "FAIL",
      "Properties": {
        "minBuckets": "1",
        "encryptionAlgorithm": "aws:kms"
      }
    }
  }
}

Hook Configuration

Hook

以下 CloudFormation 堆栈应该可以通过,但它们失败了。它们似乎只有在我禁用钩子(Hook)时才起作用。我已经检查了信任策略,这对于 CloudFormation 访问钩子(Hook)和 S3 存储桶来说似乎没问题。

AWSTemplateFormatVersion: 2010-09-09
Description: S3 bucket with default encryption
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'AES256'
    DeletionPolicy: Delete

AWSTemplateFormatVersion: "2010-09-09"
Description: This CloudFormation template provisions an encrypted S3 Bucket
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'aws:kms'
              KMSMasterKeyID: !Ref EncryptionKey
            BucketKeyEnabled: true
      Tags: 
        - Key: "keyname1"
          Value: "value1"

  EncryptionKey:  
    Type: AWS::KMS::Key
    Properties:
     Description: KMS key used to encrypt the resource type artifacts
     EnableKeyRotation: true
     KeyPolicy:
      Version: "2012-10-17"
      Statement:
      - Sid: Enable full access for owning account
        Effect: Allow
        Principal: 
          AWS: !Ref "AWS::AccountId"
        Action: kms:*
        Resource: "*"

Outputs:
  EncryptedBucketName:
    Value: !Ref EncryptedS3Bucket

最佳答案

存在多个问题

  1. 需要使用 https://github.com/aws-cloudformation/aws-cloudformation-samples/blob/main/hooks/python-hooks/s3-bucket-encryption/hook-role.yaml 创建角色
  2. CF Hook 配置需要如下
  3. KMS
{
  "CloudFormationConfiguration": {
    "HookConfiguration": {
      "TargetStacks": "ALL",
      "FailureMode": "FAIL",
      "Properties": {
        "minBuckets": "1",
        "encryptionAlgorithm": "aws:kms"
      }
    }
  }
}

3.1 使用以下 CF 为点 3 创建 SSE-S3 存储桶

AWSTemplateFormatVersion: "2010-09-09"
Description: This CloudFormation template provisions an encrypted S3 Bucket
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'aws:kms'
              KMSMasterKeyID: !Ref EncryptionKey
            BucketKeyEnabled: true
      Tags: 
        - Key: "keyname1"
          Value: "value1"

  EncryptionKey:  
    Type: AWS::KMS::Key
    Properties:
     Description: KMS key used to encrypt the resource type artifacts
     EnableKeyRotation: true
     KeyPolicy:
      Version: "2012-10-17"
      Statement:
      - Sid: Enable full access for owning account
        Effect: Allow
        Principal: 
          AWS: !Ref "AWS::AccountId"
        Action: kms:*
        Resource: "*"

Outputs:
  EncryptedBucketName:
    Value: !Ref EncryptedS3Bucket

或者

  • SSE-S3
    • AWSTemplateFormatVersion: 2010-09-09
Description: S3 bucket with default encryption
Resources:
 EncryptedS3Bucket:
   Type: 'AWS::S3::Bucket'
   Properties:
     BucketName: !Sub 'aesencryptedbucket-${AWS::Region}-${AWS::AccountId}'
     BucketEncryption:
       ServerSideEncryptionConfiguration:
         - ServerSideEncryptionByDefault:
             SSEAlgorithm: AES256
   DeletionPolicy: Delete

    4.1 使用以下 CF 为点 4 创建 SSE-S3 存储桶

    AWSTemplateFormatVersion: "2010-09-09"
Description: This CloudFormation template provisions an encrypted S3 Bucket
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'AES256'
            BucketKeyEnabled: true
      Tags: 
        - Key: "keyname1"
          Value: "value1"

    关于amazon-web-services - 由于 AWSSamples::S3BucketEncrypt::Hook,使用加密创建 S3 存储桶失败,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/71333656/

    上一篇:aws-cloudformation - 如何使用 CloudFormation 不间断地迁移到 OpenSearch?

    下一篇:python - AWS CloudFormation - 如何上传一些 python/flask 代码

    相关文章:

    amazon-web-services - AWS ALB 健康检查 404

    javascript - Aws s3 putObject 同时执行选项请求和放置请求

    amazon-web-services - 由于语法错误,AWS 复合警报无法工作

    amazon-web-services - AWS 健康状态变为红色的原因是什么?

    amazon-web-services - 亚马逊 SimpleDB 问题 : Implementing counter attributes

    amazon-web-services - 使用 aws-sdk-go 将文件保存到 S3

    amazon-web-services - AWS Cloudformation:Fn::GetAtt 转换为 Fn::ImportValue

    python-3.x - 自定义资源 CloudFormation 来标记事件规则

    amazon-web-services - 如何接收 OpsWorks 部署通知?

    amazon-s3 - Amazon S3 与 S3fox 的问题

    ©2024 IT工具网  联系我们