Enabling S3 Bucket Keys (widdix#531)

Co-authored-by: Michael Wittig <[email protected]>
kaliumxyz · Feb 22, 2021 · 357a5ec · 357a5ec
1 parent 93d18d5
commit 357a5ec
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/operations/terraform-state.yaml b/operations/terraform-state.yaml
@@ -49,7 +49,8 @@ Resources:
     Properties:
       BucketEncryption:
         ServerSideEncryptionConfiguration:
-        - ServerSideEncryptionByDefault:
+        - BucketKeyEnabled: true
+          ServerSideEncryptionByDefault:
             KMSMasterKeyID: {'Fn::ImportValue': !Sub '${ParentKmsKeyStack}-KeyArn'}
             SSEAlgorithm: 'aws:kms'
       BucketName: !Ref TerraformStateIdentifier

diff --git a/state/s3.yaml b/state/s3.yaml
@@ -151,7 +151,7 @@ Resources:
         QueueConfigurations:
         - !If [HasS3VirusScan, {Event: 's3:ObjectCreated:*', Queue: {'Fn::ImportValue': !Sub '${ParentS3VirusScanStack}-ScanQueueArn'}}, !Ref 'AWS::NoValue']
       VersioningConfiguration: !If [HasVersioning, {Status: Enabled}, !If [HadVersioning, {Status: Suspended}, !Ref 'AWS::NoValue']]
-      BucketEncryption: !If [HasKmsKey, {ServerSideEncryptionConfiguration: [{ServerSideEncryptionByDefault: {KMSMasterKeyID: {'Fn::ImportValue': !Sub '${ParentKmsKeyStack}-KeyArn'}, SSEAlgorithm: 'aws:kms'}}]}, !Ref 'AWS::NoValue']
+      BucketEncryption: !If [HasKmsKey, {ServerSideEncryptionConfiguration: [{BucketKeyEnabled: true, ServerSideEncryptionByDefault: {KMSMasterKeyID: {'Fn::ImportValue': !Sub '${ParentKmsKeyStack}-KeyArn'}, SSEAlgorithm: 'aws:kms'}}]}, !Ref 'AWS::NoValue']
   BucketPolicy:
     Type: 'AWS::S3::BucketPolicy'
     Properties: