I figured it out, there needs to be a "Null" condition to handle the case
where the header is not present. The following policy will require SSE-KMS
encryption on all objects in the bucket "testing".
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Sid": "RequireAWSKMS",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::testing/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Effect": "Deny",
"Sid": "RequireEncHeader",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::testing/*",
"Condition": {
"Null": {
"s3:x-amz-server-side-encryption": "true"
}
}
}
]
}
On Thu, Apr 30, 2020 at 5:52 AM Abhishek Lekshmanan <abhishek(a)suse.com>
wrote:
Wyllys Ingersoll
<wyllys.ingersoll(a)keepertech.com> writes:
In Mimic, how extensive is the S3 bucket policy
support?
I'm trying to configure a bucket to require encryption using the
following
policy, but it doesn't appear to have any
effect, I can still upload
unencrypted objects. I tried different variations on the policy structure
but nothing seems to have any effect and I don't see anything in the logs
(debug_rgw = 5/5).
The policy asks to deny PutObject requests when
s3:x-amz-server-side-encryption is not aws:kms. But if the string is not
supplied the condition is not evaluated.
Try an allow-based policy with StringEquals? also you might want to
restrict the Principal to a specific user/tenant if that is an intent ?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::testing/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
}
]
}
Thanks,
Wyllys Ingersoll
_______________________________________________
Dev mailing list -- dev(a)ceph.io
To unsubscribe send an email to dev-leave(a)ceph.io
--
Abhishek Lekshmanan
SUSE Software Solutions Germany GmbH
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah, HRB 21284 (AG Nürnberg)