Create a Bucket Policy in S3 with Encryption Conditions

Lab Steps

lock
Logging in to the Amazon Web Services Console
lock
Creating an Amazon S3 Bucket
lock
Creating a Bucket Policy in Amazon S3 with IP Address Conditions
lock
Create a Bucket Policy in S3 with Encryption Conditions
Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.

Introduction

Within S3 there are a number of ways to set permissions on your S3 resources. Two of these options are Bucket Policies and User Policies.  Bucket policies are applied directly to a bucket within S3 itself, whereas user policies are set within IAM (Identity & Access Management). In this Lab, you will set up and configure a bucket policy within S3. The bucket policy will restrict anyone from performing any actions within a specific bucket unless their IP address matches that within the bucket policy's condition statement.

Bucket policies use the JSON-based (JavaScript Object Notation) policy language. However, if you are unfamiliar with JSON then you can use the AWS Policy Generator create a bucket policy for you. This allows you to generate a policy document which you can then copy and paste into your bucket policy. This Lab Step will make use of the AWS Policy Generator.

In this Lab Step you will create a bucket policy which ensures that any uploaded object that does not have server-side AES256 encryption is denied.  

AWS documentation states: Server-side encryption is about data encryption at rest—that is, Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it for you when you access it. As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects. For example, if you share your objects using a presigned URL, that URL works the same way for both encrypted and unencrypted objects.

First, you will create your Bucket Policy.

 

Instructions

1. From the Amazon S3 console, select the bucket you created earlier

 

2. Click the Permissions tab, scroll down to the Bucket policy section and click Edit.

 

3. Remove the existing policy from the editor:

alt

 

4. To start generating a new policy, click Policy generator:

The policy generator will open in a new browser tab.

 

5. Fill out Step 1: Select Policy Type as follows:

  • Select Type of Policy: S3 Bucket Policy

 

6. Fill out Step 2: Add Statement(s) as follows:

  • Effect: Select the Deny radio button
  • Principal: Enter *
  • Actions: Select PutObject
    • The policy will only apply to files (objects) being added to your S3 bucket.
  • ARN: *
    • You will enter your bucket ARN on Edit bucket policy page

 

7. Still within Step 2: Add Statement(s), click Add Conditions (Optional) and fill out as follows:

  • Condition: Select StringNotEquals
  • Key: Select s3:x-amz-server-side-encryption
  • Value: Enter AES256

Conditions allow you to define a greater granularity to your policy to only execute under certain conditions and keys.

 

8. Click  Add Condition button when ready to proceed.

Your wizard should look similar to:

alt

 

9. Click Add Statement.

You have created a bucket policy that will deny access for any object uploads if the objects do not have SSE encryption enabled.

 

10. In Step 3: Generate Policy, click Generate Policy when ready to proceed.

 

11. Select and copy the Policy JSON Document generated for you.

For example:

Copy code
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
{
  "Id": "Policy1656356492971",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1656356490869",
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      },
      "Principal": "*"
    }
  ]
}

 

12. Return to your browser tab with the Bucket Policy editor open and paste the JSON into the Policy editor, copy and paste the Bucket ARN into Resource, and append /*.

Important: Don't forget to make sure you use your unique  name on the Resource line.

 

13. To save your policy, scroll to the bottom and click Save changes.

Your S3 bucket now has a bucket policy applied. Recall that the condition within your policy specifies any files added to your bucket without encryption should be denied. 

Next, you will test the bucket policy by attempting an upload of a file without encryption, then uploading a file with SSE encryption.

 

14. Click the Objects tab at the top, click Upload, and then Add files.

 

15. Select (or drag and drop) a file or two from your local file system, then click Upload at the bottom to upload the selected files.

You will see a notification that the upload has failed.

Next you will upload a file with encryption enabled to further test the S3 bucket policy.

 

16. Click CloseUpload, then Add Files, and select a local file to upload.

This time you will progress through the Upload wizard in order to enable server side encryption before actually uploading the file.

 

17. With a file selected to be uploaded, move to the Properties section.

 

18. Scroll down to the Server-side encryption settings section and select Specify an encryption key.

For this test you will use the default Amazon S3 key (SSE-S3) encryption key type.

 

19. Scroll down to the bottom and click Upload.

This time the file is uploaded to your S3 bucket, because the bucket policy was not violated.

 

Summary

In this Lab Step you enabled a S3 bucket policy that would deny any file uploads to your bucket of any objects that do not have server side encryption enabled. You tested the policy by uploading files that did not have encryption enabled, and others that did. Further, you learned where to look for errors in the S3 console if S3 operations (such as a file upload) fails.

Please see the Protecting Data Using Server Side Encryption in the AWS documentation for more information. For additional information regarding user policies, please see other Cloud Academy labs and courses relating to IAM.

Validation checks
1Checks
S3 Bucket Enforces Encryption

An object upload fails unless it is encrypted with AES-256

Amazon Simple Storage Service (S3)

Learning Pathnavigation