Skip to content

epomatti/aws-bucket-mfa-cmk

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
buckets
buckets
 
 
.gitignore
.gitignore
 
 
.terraform.lock.hcl
.terraform.lock.hcl
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
variables.tf
variables.tf
 
 

Repository files navigation

AWS Bucket with MFA delete "Deny"

Create the .auto.tfvars:

enforce_kms_policy = true
mfa_policy_enabled = true

To create the resources:

terraform init
terraform apply -auto-approve

KMS encryption will be enforced with a "s3:x-amz-server-side-encryption":"aws:kms" condition.

MFA delete controlled with "aws:MultiFactorAuthAge".

Few notes about SSE-KMS with CMK:

  • When using SSE-KMS, S3 automatically applies envelope encryption. Every object has it's own key.
  • KMS CMK key rotation is 365 days.

About

S3 MFA with CMK

Topics

aws kms terraform s3 bucket mfa aws-security cmk sse-kms cmek

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages