AWS-EnableS3BucketKeys
Description
The AWS-EnableS3BucketKeys
runbook enables Bucket Keys on the
Amazon Simple Storage Service (Amazon S3) bucket you specify. This bucket level key creates data keys for new
objects during its lifecycle. If you don't specify a value for the
KmsKeyId
parameter, server-side encryption using Amazon S3 managed keys
(SSE-S3) are used for the default encryption configuration.
Note
Amazon S3 Bucket Keys aren't supported for dual-layer server-side encryption with Amazon Key Management Service (Amazon KMS) keys (DSSE-KMS).
Document type
Automation
Owner
Amazon
Platforms
Linux, macOS, Windows
Parameters
-
AutomationAssumeRole
Type: String
Description: (Optional) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.
-
BucketName
Type: String
Description: (Required) The name of the S3 bucket you want to enable Bucket Keys for.
-
KMSKeyId
Type: String
Description: (Optional) The Amazon Resource Name (ARN), key ID, or the key alias of the Amazon Key Management Service (Amazon KMS) customer managed key you want to use for server-side encryption.
Required IAM permissions
The AutomationAssumeRole
parameter requires the following actions to
use the runbook successfully.
-
ssm:StartAutomationExecution
-
ssm:GetAutomationExecution
-
s3:GetEncryptionConfiguration
-
s3:PutEncryptionConfiguration
Document Steps
-
ChooseEncryptionType (aws:branch) - Evaluates the value provided for the
KmsKeyId
parameter to determine if SSE-S3 (AES256) or SSE-KMS will be used. -
PutBucketKeysKMS (aws:executeAwsApi) - Sets the
BucketKeyEnabled
property totrue
for the specified S3 bucket using the specifiedKmsKeyId
. -
PutBucketKeysAES256 (aws:executeAwsApi) - Sets the
BucketKeyEnabled
property totrue
for the specified S3 bucket with AES256 encryption. -
VerifyS3BucketKeysEnabled (aws:assertAwsResourceProperty) - Verifies that the Bucket Keys are enabled on the target S3 bucket.