Encrypt all of your S3 Buckets automatically

Overview

I. Terraform Providers

II. Modules

  • s3-scan-encryption
  • IAM roles and policies
  • CloudWatch Events
  • Lambda
  • SNS Notification

III. Lambda function

$ virtualenv -p python3 venv
Running virtualenv with interpreter /usr/local/bin/python3
Using base prefix '/usr/local/Cellar/python/3.7.5/Frameworks/Python.framework/Versions/3.7'
New python executable in /Users/oli/Documents/venv/bin/python3.7
Also creating executable in /Users/oli/Documents/venv/bin/python
Installing setuptools, pip, wheel...
done.
$ source venv/bin/activate

IV. SSM Parameters

  • s3-encryption-exception-list: List of S3 Buckets excluded from Scan(StringList type)
  • default-source-email: Default name used as a source (String type)
  • default-destination-emails: List of email recipients (StringList type)

V. Deploy

19:23 $ ./python_packages.sh
Requirement already satisfied: pytest in /Users/oli/Documents/terraform_s3_encryption_email/venv/lib/python3.7/site-packages (from -r requirements_test.txt (line 1)) (5.4.1)
[...]--------------------------------------------------------------------
Your code has been rated at 10.00/10 (previous run: 10.00/10, +0.00)
~/Documents/terraform_s3_encryption_email/modules
~/Documents/terraform_s3_encryption_email/modules/s3-scan-encryption ~/Documents/terraform_s3_encryption_email/modules
adding: s3_encryption.py (deflated 69%)
~/Documents/terraform_s3_encryption_email/modules
11:51 $ terraform init
Initializing modules...
Initializing the backend...Initializing provider plugins...The following providers do not have any version constraints in configuration,
so the latest version was installed.
To prevent automatic upgrades to new major versions that may contain breaking
changes, it is recommended to add version = "..." constraints to the
corresponding provider blocks in configuration, with the constraint strings
suggested below.
* provider.template: version = "~> 2.1"Terraform has been successfully initialized!You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
1:51 $ terraform apply
module.s3-encryption-lambda.data.aws_ssm_parameter.display_name: Refreshing state...
module.s3-encryption-lambda.data.aws_caller_identity.current: Refreshing state...
module.s3-encryption-lambda.data.aws_ssm_parameter.s3_encryption_emails: Refreshing state...
module.s3-encryption-lambda.data.template_file.cloudformation_sns_stack: Refreshing state...
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create
<= read (data resources)
Terraform will perform the following actions:# module.s3-encryption-lambda.data.aws_iam_policy_document.sns_publish will be read during apply
# (config refers to values not yet known)
<= data "aws_iam_policy_document" "sns_publish" {
+ id = (known after apply)
+ json = (known after apply)
+ statement {
+ actions = [
+ "SNS:Publish",
]
+ effect = "Allow"
+ resources = [
+ (known after apply),
]
}
}
[...]Plan: 15 to add, 0 to change, 0 to destroy.Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value:
Subscription email

VI. Details of this repository

  • List all your existing buckets
  • Compare this list with the exempt list of S3 Buckets present in your SSM parameter
  • Check if KMS or SSE is applied on each of your bucket
  • Apply SSE on your bucket if it wasn’t apply
  • Notify by SNS notification

VII. Testing

Test configuration

--

--

--

Cloud technologies and solutions lover, https://cdcloudlogix.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

2D Shooter: Instantiating Objects

Learn how to create your own Dapp with Angular 9 — Part VI.

A 100,000 Feet View of Terraform Basics

Secure a vanilla API with Kong API gateway

Pilot Development Update | 01 Jan 22

PARSIQ’s Chief Architect Anatoly Ressin in Masterclass at ETHDenver

Tutorial: Building a database from Scratch — 2

[Completed] June 7, AOQ Maintenance Notice

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Olivier Butterbach

Olivier Butterbach

Cloud technologies and solutions lover, https://cdcloudlogix.com

More from Medium

Beating the slowness of AWS glue crawlers

Reading data from S3 and write it into DynamoDB using Lambda function

Future-proof your DNS Setup

AWS EMR Memory Scaling