Skip to content

Commit

Permalink
Stop requiring --sse=AES256 when uploading to S3
Browse files Browse the repository at this point in the history 
Requiring this option is no longer necessary since from january 2023 all
Amazon S3 buckets have encryption configured by default, and objects are
automatically encrypted by using server-side encryption with Amazon S3
managed keys (SSE-S3).
  • Loading branch information
@RomaricKanyamibwa
RomaricKanyamibwa committed Jun 20, 2024
1 parent 2f687cf commit 1795c74
Show file tree
Hide file tree
Showing 15 changed files with 1 addition and 406 deletions.
44 changes: 0 additions & 44 deletions src/e3/aws/troposphere/s3/bucket.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,6 @@

if TYPE_CHECKING:
from e3.aws.troposphere import Stack
from e3.aws.troposphere.iam.policy_statement import ConditionType

from typing import Any


Expand Down Expand Up @@ -87,48 +85,6 @@ def __init__(
self.authorized_encryptions
), "At least one authorized s3 encryption should be provided"

# The one element case is needed for retrocompatibility
# with stacks deployed with older versions of e3-aws
condition: ConditionType
if len(self.authorized_encryptions) == 1:
condition = {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": self.authorized_encryptions[
0
].value
}
}
else:
condition = {
"ForAllValues:StringNotEquals": {
"s3:x-amz-server-side-encryption": [
enc.value for enc in self.authorized_encryptions
]
}
}

self.policy_statements.extend(
[
# Deny to store object not encrypted with AES256 encryption
PolicyStatement(
action="s3:PutObject",
effect="Deny",
resource=self.all_objects_arn,
principal={"AWS": "*"},
condition=condition,
),
# Deny to store non encrypted objects
# (??? do we really need that statement)
PolicyStatement(
action="s3:PutObject",
effect="Deny",
resource=self.all_objects_arn,
principal={"AWS": "*"},
condition={"Null": {"s3:x-amz-server-side-encryption": "true"}},
),
]
)

@property
def policy_document(self) -> PolicyDocument:
"""Return PolicyDocument to be attached to the bucket."""
Expand Down
20 changes: 0 additions & 20 deletions tests/tests_e3_aws/troposphere/config/config_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -162,26 +162,6 @@
"Resource": "arn:aws:s3:::config-test-bucket/*",
"Condition": {"Bool": {"aws:SecureTransport": "false"}},
},
{
"Effect": "Deny",
"Principal": {"AWS": "*"},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::config-test-bucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
},
},
{
"Effect": "Deny",
"Principal": {"AWS": "*"},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::config-test-bucket/*",
"Condition": {
"Null": {"s3:x-amz-server-side-encryption": "true"}
},
},
{
"Effect": "Allow",
"Principal": {"Service": "config.amazonaws.com"},
Expand Down
26 changes: 0 additions & 26 deletions tests/tests_e3_aws/troposphere/s3/bucket-with-roles-trusted-accounts.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,32 +44,6 @@
"aws:SecureTransport": "false"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket-with-roles/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket-with-roles/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
Expand Down
26 changes: 0 additions & 26 deletions tests/tests_e3_aws/troposphere/s3/bucket-with-roles-trusted-policies.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,32 +44,6 @@
"aws:SecureTransport": "false"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket-with-roles/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket-with-roles/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
Expand Down
26 changes: 0 additions & 26 deletions tests/tests_e3_aws/troposphere/s3/bucket-with-roles.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,32 +44,6 @@
"aws:SecureTransport": "false"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket-with-roles/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket-with-roles/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
Expand Down
26 changes: 0 additions & 26 deletions tests/tests_e3_aws/troposphere/s3/bucket.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,32 +109,6 @@
"aws:SecureTransport": "false"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
Expand Down
29 changes: 0 additions & 29 deletions tests/tests_e3_aws/troposphere/s3/bucket_multi_encryption.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,35 +35,6 @@
"aws:SecureTransport": "false"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket/*",
"Condition": {
"ForAllValues:StringNotEquals": {
"s3:x-amz-server-side-encryption": [
"AES256",
"aws:kms"
]
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
Expand Down
26 changes: 0 additions & 26 deletions tests/tests_e3_aws/troposphere/s3/bucket_notification_string_arns.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,32 +64,6 @@
"aws:SecureTransport": "false"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
Expand Down
28 changes: 1 addition & 27 deletions tests/tests_e3_aws/troposphere/s3/bucket_with_object_lock_kwargs.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,36 +45,10 @@
"aws:SecureTransport": "false"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
},
"Type": "AWS::S3::BucketPolicy"
}
}
}
26 changes: 0 additions & 26 deletions tests/tests_e3_aws/troposphere/s3websitedistribution.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,32 +45,6 @@
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::host-bucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::host-bucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
},
{
"Effect": "Allow",
"Principal": {
Expand Down
26 changes: 0 additions & 26 deletions tests/tests_e3_aws/troposphere/s3websitedistribution_bucket.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,32 +45,6 @@
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::host-bucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
},
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::host-bucket/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
},
{
"Effect": "Allow",
"Principal": {
Expand Down
Loading

0 comments on commit 1795c74

Please sign in to comment.