req: Encryption enforcement on the Bucket Policy

[badra001]

#1 When the bucket is created, encryption will be enabled. If an existing KMS key is not provided, it will be created.

[badra001]

This goes along with this requirement

• Dedicated KMS Customer Master Key (CMK) created per S3 bucket

It may be better not even to permit the passing of a key and just create with the bucket.

Format would be k-kms-{bucket_name}

[ashle001]

Encryption enforced with Bucket Policy:

{
     "Version": "2012-10-17",
     "Id": "PutObjPolicy",
     "Statement": [
           {
                "Sid": "DenyIncorrectEncryptionHeader",
                "Effect": "Deny",
                "Principal": "*",
                "Action": "s3:PutObject",
                "Resource": "arn:aws:s3:::<bucket_name>/*",
                "Condition": {
                        "StringNotEquals": {
                               "s3:x-amz-server-side-encryption": "AES256"
                         }
                }
           },
           {
                "Sid": "DenyUnEncryptedObjectUploads",
                "Effect": "Deny",
                "Principal": "*",
                "Action": "s3:PutObject",
                "Resource": "arn:aws:s3:::<bucket_name>/*",
                "Condition": {
                        "Null": {
                               "s3:x-amz-server-side-encryption": true
                        }
               }
           }
}

[badra001]

Closed in 5e51436