S3 bucket encryption restriction in IAM policy

0
votes

I am trying to use the following impose Deny on unencrypted bucket creation. The user with the policy has full S3 and KMS apart from the below policy.

I get this red warning:

This policy does not grant any permissions. To grant access, policies must have an action that has an applicable resource or condition.

Further, I am denied access to create an S3 bucket, encrypted or unencrypted. 

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Deny",
        "Action": "s3:CreateBucket",
        "Resource": "arn:aws:s3:::*",
        "Condition": {
            "StringNotEquals": {
                "s3:x-amz-server-side-encryption": [
                    "AES256",
                    "aws:kms"
                ]
            }
        }
    }
]
}

Reason for doing is to not worry about the object encrypt once the bucket is encrypted.

Default Encryption – You can mandate that all objects in a bucket must be stored in encrypted form without having to construct a bucket policy that rejects objects that are not encrypted. Referred: https://aws.amazon.com/blogs/aws/new-amazon-s3-encryption-security-features/

1
amazon-web-servicesencryptionamazon-s3
It "works" but does it actually have the intended effect? If you have aws-cli commands that are not usable, that suggests you need a newer version of the cli.Michael - sqlbot
Update: I am unable to create a bucket. Access Denied.lft93ryt
@Michael-sqlbot updating the cli helped.lft93ryt

1 Answers

0
votes

Condition Key is invalid.

s3:CreateBucket operation can have only certain conditions while writing a policy and s3:x-amz-server-side-encryption is not one of them.

Refer: https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-policy-keys.html#bucket-keys-in-amazon-s3-policies