AWScloud~30 mins

S3 encryption options in AWS - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

S3 Encryption Options Setup

📖 Scenario: You are setting up an Amazon S3 bucket to securely store company documents. To protect the data, you want to apply encryption options that ensure data is encrypted at rest.

🎯 Goal: Create an S3 bucket with server-side encryption enabled using AWS managed keys (SSE-S3). Then add a configuration variable to switch to AWS KMS managed keys (SSE-KMS). Finally, apply the encryption configuration to the bucket.

📋 What You'll Learn

Create an S3 bucket resource named MySecureBucket

Add a variable encryption_type to select between "SSE-S3" and "SSE-KMS"

Use the encryption_type variable to configure the bucket encryption

For SSE-KMS, use the AWS managed KMS key alias alias/aws/s3

💡 Why This Matters

🌍 Real World

Companies use S3 encryption to protect sensitive data at rest, complying with security standards and regulations.

💼 Career

Cloud architects and engineers must configure secure storage solutions using encryption options in AWS S3.

Progress0 / 4 steps

Create the S3 bucket resource

Create an S3 bucket resource named MySecureBucket using AWS CloudFormation syntax. Do not add encryption yet.

AWS

# Create an S3 bucket resource named MySecureBucket
# Your code here

Need a hint?

Use the Resources section and define MySecureBucket with type AWS::S3::Bucket.

Add encryption type configuration variable

Add a parameter named encryption_type with allowed values "SSE-S3" and "SSE-KMS" to select the encryption method.

AWS

Resources:
  MySecureBucket:
    Type: AWS::S3::Bucket

# Add a parameter named encryption_type with allowed values "SSE-S3" and "SSE-KMS"
# Your code here

Need a hint?

Define a Parameters section with encryption_type as a string and specify allowed values.

Configure bucket encryption using the parameter

Add a BucketEncryption property to MySecureBucket that uses the encryption_type parameter. Use alias/aws/s3 as the KMS key ID when encryption_type is "SSE-KMS". Use conditional logic to select the encryption type.

AWS

Parameters:
  encryption_type:
    Type: String
    AllowedValues:
      - SSE-S3
      - SSE-KMS

Resources:
  MySecureBucket:
    Type: AWS::S3::Bucket

# Add BucketEncryption property using encryption_type parameter
# Your code here

Need a hint?

Use Conditions to check if encryption_type equals SSE-KMS. Use !If to select aws:kms or AES256 for SSEAlgorithm. Add KMSMasterKeyID only for SSE-KMS.

Complete the CloudFormation template

Add the Outputs section to output the bucket name with the key BucketName referencing MySecureBucket.

AWS

Parameters:
  encryption_type:
    Type: String
    AllowedValues:
      - SSE-S3
      - SSE-KMS

Resources:
  MySecureBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: !If
                - IsSSEKMS
                - aws:kms
                - AES256
              KMSMasterKeyID: !If
                - IsSSEKMS
                - alias/aws/s3
                - !Ref "AWS::NoValue"

Conditions:
  IsSSEKMS: !Equals [ !Ref encryption_type, SSE-KMS ]

# Add Outputs section with BucketName output referencing MySecureBucket
# Your code here

Need a hint?

Use the Outputs section to expose the bucket name with key BucketName.