From a72a46891257764f958cc5dc50907bac9f7453d5 Mon Sep 17 00:00:00 2001 From: Vahor Date: Mon, 25 Dec 2023 20:56:05 +0100 Subject: [PATCH] feat: enable encryption --- aws/policies/pulumi.json | 1 + src/aws/resources/files-bucket.ts | 38 +++++++++++++++++++++++++++++- src/aws/resources/static-bucket.ts | 4 ++-- 3 files changed, 40 insertions(+), 3 deletions(-) diff --git a/aws/policies/pulumi.json b/aws/policies/pulumi.json index 8c61e8a..7cde51a 100644 --- a/aws/policies/pulumi.json +++ b/aws/policies/pulumi.json @@ -10,6 +10,7 @@ "s3:List*", "s3:PutBucketPublicAccessBlock", "s3:PutBucketPolicy", + "s3:PutEncryptionConfiguration", "s3:DeleteBucketPolicy" ], "Resource": [ diff --git a/src/aws/resources/files-bucket.ts b/src/aws/resources/files-bucket.ts index 068411f..f28aa01 100644 --- a/src/aws/resources/files-bucket.ts +++ b/src/aws/resources/files-bucket.ts @@ -6,9 +6,17 @@ export const createFilesBucket = () => { const bucket = new aws.s3.Bucket('files.pedaki.fr', { bucket: 'files.pedaki.fr', acl: 'private', + serverSideEncryptionConfiguration: { + rule: { + applyServerSideEncryptionByDefault: { + sseAlgorithm: 'aws:kms', + }, + bucketKeyEnabled: true, + }, + }, }); - const publicAccessBlock = new aws.s3.BucketPublicAccessBlock('publicAccessBlock', { + const publicAccessBlock = new aws.s3.BucketPublicAccessBlock('files.pedaki.fr-publicAccessBlock', { bucket: bucket.id, blockPublicAcls: true, blockPublicPolicy: true, @@ -16,6 +24,34 @@ export const createFilesBucket = () => { restrictPublicBuckets: true, }); + const policy = new aws.s3.BucketPolicy( + 'files-bucket-policy', + { + bucket: bucket.id, + policy: bucket.arn.apply(arn => + JSON.stringify({ + // all files should be encrypted + Version: '2012-10-17', + Statement: [ + { + Sid: 'DenyUnEncryptedObjectUploads', + Effect: 'Deny', + Principal: '*', + Action: 's3:PutObject', + Resource: `${arn}/*`, + Condition: { + StringNotEquals: { + 's3:x-amz-server-side-encryption': 'aws:kms', + }, + }, + }, + ], + }), + ), + }, + { dependsOn: [publicAccessBlock] }, + ); + const record = new cloudflare.Record('files.pedaki.fr', { name: 'files', type: 'CNAME', diff --git a/src/aws/resources/static-bucket.ts b/src/aws/resources/static-bucket.ts index cd8c231..1f8dc54 100644 --- a/src/aws/resources/static-bucket.ts +++ b/src/aws/resources/static-bucket.ts @@ -7,7 +7,7 @@ export const createStaticBucket = () => { bucket: 'static.pedaki.fr', }); - const publicAccessBlock = new aws.s3.BucketPublicAccessBlock('publicAccessBlock', { + const publicAccessBlock = new aws.s3.BucketPublicAccessBlock('static.pedaki.fr-publicAccessBlock', { bucket: bucket.id, blockPublicAcls: false, blockPublicPolicy: false, @@ -16,7 +16,7 @@ export const createStaticBucket = () => { }); const _ = new aws.s3.BucketPolicy( - 'bucket-policy', + 'static-bucket-policy', { bucket: bucket.id, policy: bucket.arn.apply(arn =>