AWS SAM: How to create an S3 bucket with an already existing encryption key using SAM

Question

I am a newbie to SAM (and CloudFormation) and I learned today that you can create a new bucket in adding something like this to the SAM yaml template:

Resources:
    my-great-new-bucket:
       Type:AWS::S3::Bucket

Does SAM offer a way to also add an already existing KMS encryption key to that newly created bucket (and to enable Bucket Key)?

With boto I would do exactly the following to achieve this:

 response = client.put_bucket_encryption(Bucket= bucketName, ServerSideEncryptionConfiguration={
        "Rules": [
            {
              "ApplyServerSideEncryptionByDefault": {
                "SSEAlgorithm": "aws:kms",
                "KMSMasterKeyID": myKeyArn
              },
              "BucketKeyEnabled": True
            }
          ]
        })

How can i transform this operation to the SAM template?

Robert Kossendey · Accepted Answer · 2021-10-14T07:45:11.173

3

So S3::Bucket is not a SAM resource but a normal CloudFormation resource. You can achieve this by changing KMS-KEY-ARN to the Key ID of your Key.

Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - BucketKeyEnabled: true
            ServerSideEncryptionByDefault:
              SSEAlgorithm: 'aws:kms'
              KMSMasterKeyID: KMS-KEY-ARN

edited Oct 14 '21 at 07:45

answered Oct 13 '21 at 07:36

Robert Kossendey

6,733
2
12
42

1

Adding `BucketKeyEnabled: true` as a further attribute to the ServerSideEncryptionConfiguration collection did the final trick. @Robert Maybe you could add this to your Answer – and0r Oct 14 '21 at 07:29
1

Added the property to my answer. – Robert Kossendey Oct 14 '21 at 07:45

AWS SAM: How to create an S3 bucket with an already existing encryption key using SAM

1 Answers1