0

Our AWS S3 bucket policy requires encryption in transit in order to place objects within S3. I have a Terraform written out that will write the state file to our S3 bucket. Unfortunately, it is not allowing me to do this due to the script not having encryption in transit.

Does anyone know if this is possible to achieve through Terraform?

*Edit: Adding in bucket policy.

{
"Version": "2012-10-17",
"Id": "PutObjPolicy",
"Statement": [
    {
        "Sid": "DenyIncorrectEncryptionHeader",
        "Effect": "Deny",
        "Principal": "*",
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::test/*",
        "Condition": {
            "StringNotEquals": {
                "s3:x-amz-server-side-encryption": "AES256"
            }
        }
    },
    {
        "Sid": "DenyUnEncryptedObjectUploads",
        "Effect": "Deny",
        "Principal": "*",
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::test/*",
        "Condition": {
            "Null": {
                "s3:x-amz-server-side-encryption": "true"
            }
        }
    }
]
}

Edit: Adding in backend tfstate

terraform {
backend "s3" {
bucket = "test/inf/"
key    = "s3_vpc_endpoint.tfstate"
region = "us-east-1"
 }
}
Brittany Hamlenson
  • 13
  • 3
  • Terraform will use encryption in transit by default when writing the state file to S3. My guess is there is something incorrect in your S3 bucket policy. Can you edit you question to include your bucket policy? – Mark B Aug 04 '21 at 15:46
  • @MarkB Sure, I've added it in now. – Brittany Hamlenson Aug 04 '21 at 15:53
  • That policy enforces encryption at rest, not encryption in transit. Terraform probably isn't setting encryption at rest headers. You should set a default encryption policy on the bucket instead of forcing every request to set it on every file. For enforcing encryption in transit, see the answer here: https://stackoverflow.com/questions/21087474/force-ssl-on-amazon-s3 – Mark B Aug 04 '21 at 16:11
  • How are you configuring your state backend? Can you show the code for that or the command you run that configures your state? – ydaetskcoR Aug 04 '21 at 16:13
  • @ydaetskcoR yes, I have added it now – Brittany Hamlenson Aug 04 '21 at 18:58
  • @MarkB these policies are in place from our infosec team. – Brittany Hamlenson Aug 04 '21 at 18:59
  • Add `encrypt = true` to the backend configuration to see if that gets past the issue. Documentation here: https://www.terraform.io/docs/language/settings/backends/s3.html – Mark B Aug 04 '21 at 19:22
  • @MarkB did you want to post that as an answer? – ydaetskcoR Aug 05 '21 at 09:50

0 Answers0