S3
Enable Encrytion and Versioning¶
Create a new bucket in Account ABC (--profle jkailasam):
$ aws s3 ls --profile jkailasam
$ aws s3api create-bucket --bucket s3-jeeva-test-bucket \
--region us-east-1 --profile abc
{
"Location": "/s3-jeeva-test-bucket"
}
$ aws s3api list-buckets --profile abc
"Buckets": [
{
"Name": "s3-jeeva-test-bucket",
"CreationDate": "2018-03-08T00:52:53.000Z"
}
],
"Owner": {
"DisplayName": "kjeeva",
"ID": "a9dd5aa014825f490dba2dcac800df3fcf61e3fde247b8e127031a3cf156feed"
}
}
Confirm bucket is not encrypted and versioning is not enabled¶
$ aws s3api get-bucket-encryption --bucket s3-jeeva-test-bucket --region us-east-1 --profile abc
An error occurred (ServerSideEncryptionConfigurationNotFoundError) when calling the GetBucketEncryption operation: The server side encryption configuration was not found
$ aws s3api get-bucket-versioning --bucket s3-jeeva-test-bucket --region us-east-1 --profile abc
List the buckets in XZY Account:¶
$ aws s3 ls --profile xyz
2017-11-15 10:50:56 cf-templates-a424w3sjszty-us-west-2
Note: "s3-jeeva-test-bucket" is not listed here. That confirms that I am using another account's credentials.
Using the above XYZ credential, assume a role in ABC account:¶
$ AWS_STS_DATA=$(aws sts assume-role --profile xyz --role-arn "arn:aws:iam::111111111111:role/s3test" --role-session-name "jeeva")
$ export AWS_ACCESS_KEY_ID=$(echo $AWS_STS_DATA | jq -r '.Credentials.AccessKeyId')
$ export AWS_SECRET_ACCESS_KEY=$(echo $AWS_STS_DATA | jq -r '.Credentials.SecretAccessKey')
$ export AWS_SESSION_TOKEN=$(echo $AWS_STS_DATA | jq -r '.Credentials.SessionToken')
Confirm I have assumed role in ABC account by listing s3 bucket(using XYZ account credentials)¶
$ aws s3 ls
2018-03-07 16:52:53 s3-jeeva-test-bucket
Create a encription policy file for the bucket :¶
cat >> /tmp/s3.json <<EOF
{
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "arn:aws:kms:us-west-2:11111111111111:key/18eaa0e2-74dd-492d-b5cf-1e63b87b3c66"
}
}
]
}
EOF
Encrypt the bucket using the assumed role and the policy file we just created:¶
$ aws s3api put-bucket-encryption --bucket s3-jeeva-test-bucket --server-side-encryption-configuration file:///tmp/s3.json
Confirm the bucket is encrypted¶
$ aws s3api get-bucket-encryption --bucket s3-jeeva-test-bucket --region us-east-1
{
"ServerSideEncryptionConfiguration": {
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "arn:aws:kms:us-west-2:689065950067:key/18eaa0e2-74dd-492d-b5cf-1e63b8769b99"
}
}
]
}
}
Enable Versioning for the bucket¶
$ aws s3api put-bucket-versioning --bucket s3-jeeva-test-bucket --versioning-configuration Status=Enabled
Confirm that that versioning is enabled.¶
$ aws s3api get-bucket-versioning --bucket s3-jeeva-test-bucket
{
"Status": "Enabled"
}
aws s3 cp --recursive --include '*.tif' --exclude '*NP.tif' s3://s3usw2appphcstaging-turing-b001/ANCHOR/ s3://s3usw2phcdatatouringimagingsb001/ANCHOR/
aws s3 cp --recursive --include '*.tif' --exclude '*NP.tif' s3://s3usw2appphcstaging-turing-b001/MARINA/ s3://s3usw2phcdatatouringimagingsb001/MARINA/