Configure server-side encryption for artifacts stored in Amazon S3 for CodePipeline - Amazon CodePipeline
View your Amazon managed keyConfigure server-side encryption for S3 buckets using Amazon CloudFormation or the Amazon CLI
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configure server-side encryption for artifacts stored in Amazon S3 for CodePipeline

There are two ways to configure server-side encryption for Amazon S3 artifacts:

  • CodePipeline creates an S3 artifact bucket and default Amazon managed key when you create a pipeline using the Create Pipeline wizard. The Amazon managed key is encrypted along with object data and managed by Amazon.

  • You can create and manage your own customer managed key.

Important

CodePipeline only supports symmetric KMS keys. Do not use an asymmetric KMS key to encrypt the data in your S3 bucket.

If you are using the default S3 key, you cannot change or delete this Amazon managed key. If you are using a customer managed key in Amazon KMS to encrypt or decrypt artifacts in the S3 bucket, you can change or rotate this customer managed key as necessary.

Amazon S3 supports bucket policies that you can use if you require server-side encryption for all objects that are stored in your bucket. For example, the following bucket policy denies upload object (s3:PutObject) permission to everyone if the request does not include the x-amz-server-side-encryption header requesting server-side encryption with SSE-KMS.

{
    "Version": "2012-10-17",
    "Id": "SSEAndSSLPolicy",
    "Statement": [
        {
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::codepipeline-us-west-2-89050EXAMPLE/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "aws:kms"
                }
            }
        },
        {
            "Sid": "DenyInsecureConnections",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::codepipeline-us-west-2-89050EXAMPLE/*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

For more information about server-side encryption and Amazon KMS, see Protecting Data Using Server-Side Encryption and Protecting data using server-side encryption with KMS keys stored in Amazon Key Management Service (SSE-KMS).

For more information about Amazon KMS, see the Amazon Key Management Service Developer Guide.

View your Amazon managed key

When you use the Create Pipeline wizard to create your first pipeline, an S3 bucket is created for you in the same Region you created the pipeline. The bucket is used to store pipeline artifacts. When a pipeline runs, artifacts are put into and retrieved from the S3 bucket. By default, CodePipeline uses server-side encryption with Amazon KMS using the Amazon managed key for Amazon S3 (the aws/s3 key). This Amazon managed key is created and stored in your Amazon account. When artifacts are retrieved from the S3 bucket, CodePipeline uses the same SSE-KMS process to decrypt the artifact.

To view information about your Amazon managed key

  1. Sign in to the Amazon Web Services Management Console and open the Amazon KMS console.

  2. If a welcome page appears, choose Get started now.

  3. In the service navigation pane, choose Amazon managed keys.

  4. Choose the Region for your pipeline. For example, if the pipeline was created in us-east-2, make sure that the filter is set to US East (Ohio).

    For more information about the Regions and endpoints available for CodePipeline, see Amazon CodePipeline endpoints and quotas.

  5. In the list, choose the key with the alias used for your pipeline (by default, aws/s3). Basic information about the key is displayed.

Configure server-side encryption for S3 buckets using Amazon CloudFormation or the Amazon CLI

When you use Amazon CloudFormation or the Amazon CLI to create a pipeline, you must configure server-side encryption manually. Use the sample bucket policy above, and then create your owncustomer managed key. You can also use your own keys instead of the Amazon managed key. Some reasons to choose your own key include:

Cryptographic best practices discourage extensive reuse of encryption keys. As a best practice, rotate your key on a regular basis. To create new cryptographic material for your Amazon KMS keys, you can create a customer managed key, and then change your applications or aliases to use the new customer managed key. Or, you can enable automatic key rotation for an existing customer managed key.

To rotate your customer managed key, see Rotating keys.

Important

CodePipeline only supports symmetric KMS keys. Do not use an asymmetric KMS key to encrypt the data in your S3 bucket.