Skip to content

epomatti/aws-bucket-mfa-cmk

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits

buckets

buckets

 
 

.gitignore

.gitignore

 
 

.terraform.lock.hcl

.terraform.lock.hcl

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

main.tf

main.tf

 
 

variables.tf

variables.tf

 
 

Repository files navigation

AWS Bucket with MFA delete "Deny"

Create the .auto.tfvars:

enforce_kms_policy = true
mfa_policy_enabled = true

To create the resources:

terraform init
terraform apply -auto-approve

KMS encryption will be enforced with a "s3:x-amz-server-side-encryption":"aws:kms" condition.

MFA delete controlled with "aws:MultiFactorAuthAge".

Few notes about SSE-KMS with CMK:

  • When using SSE-KMS, S3 automatically applies envelope encryption. Every object has it's own key.
  • KMS CMK key rotation is 365 days.

About

S3 MFA with CMK

Topics

aws kms terraform s3 bucket mfa aws-security cmk sse-kms cmek

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages