Skip to content

S3

Enable Encrytion and Versioning

Create a new bucket in Account ABC (--profle jkailasam):

$ aws s3 ls --profile jkailasam
$ aws s3api create-bucket --bucket s3-jeeva-test-bucket \
  --region us-east-1 --profile abc
{
    "Location": "/s3-jeeva-test-bucket"
}

$ aws s3api list-buckets --profile abc
    "Buckets": [
        {
            "Name": "s3-jeeva-test-bucket",
            "CreationDate": "2018-03-08T00:52:53.000Z"
        }
    ],
    "Owner": {
        "DisplayName": "kjeeva",
        "ID": "a9dd5aa014825f490dba2dcac800df3fcf61e3fde247b8e127031a3cf156feed"
    }
}

Confirm bucket is not encrypted and versioning is not enabled

$ aws s3api get-bucket-encryption --bucket s3-jeeva-test-bucket --region us-east-1 --profile abc

An error occurred (ServerSideEncryptionConfigurationNotFoundError) when calling the GetBucketEncryption operation: The server side encryption configuration was not found


$ aws s3api get-bucket-versioning  --bucket s3-jeeva-test-bucket --region us-east-1 --profile abc

List the buckets in XZY Account:

$ aws s3 ls --profile xyz
2017-11-15 10:50:56 cf-templates-a424w3sjszty-us-west-2

Note: "s3-jeeva-test-bucket" is not listed here. That confirms that I am using another account's credentials.

Using the above XYZ credential, assume a role in ABC account:

$ AWS_STS_DATA=$(aws sts assume-role --profile xyz --role-arn "arn:aws:iam::111111111111:role/s3test" --role-session-name "jeeva")
$ export AWS_ACCESS_KEY_ID=$(echo $AWS_STS_DATA | jq -r '.Credentials.AccessKeyId')
$ export AWS_SECRET_ACCESS_KEY=$(echo $AWS_STS_DATA | jq -r '.Credentials.SecretAccessKey')
$ export AWS_SESSION_TOKEN=$(echo $AWS_STS_DATA | jq -r '.Credentials.SessionToken')

Confirm I have assumed role in ABC account by listing s3 bucket(using XYZ account credentials)

$ aws s3 ls
2018-03-07 16:52:53 s3-jeeva-test-bucket

Create a encription policy file for the bucket :

cat >> /tmp/s3.json <<EOF
{
  "Rules": [
    {
      "ApplyServerSideEncryptionByDefault": {
        "SSEAlgorithm": "aws:kms",
        "KMSMasterKeyID": "arn:aws:kms:us-west-2:11111111111111:key/18eaa0e2-74dd-492d-b5cf-1e63b87b3c66"
      }
    }
  ]
}
EOF

Encrypt the bucket using the assumed role and the policy file we just created:

$ aws s3api put-bucket-encryption --bucket s3-jeeva-test-bucket --server-side-encryption-configuration file:///tmp/s3.json

Confirm the bucket is encrypted

$ aws s3api get-bucket-encryption --bucket s3-jeeva-test-bucket --region us-east-1
{
    "ServerSideEncryptionConfiguration": {
        "Rules": [
            {
                "ApplyServerSideEncryptionByDefault": {
                    "SSEAlgorithm": "aws:kms",
                    "KMSMasterKeyID": "arn:aws:kms:us-west-2:689065950067:key/18eaa0e2-74dd-492d-b5cf-1e63b8769b99"
                }
            }
        ]
    }
}

Enable Versioning for the bucket

$ aws s3api put-bucket-versioning --bucket s3-jeeva-test-bucket --versioning-configuration Status=Enabled

Confirm that that versioning is enabled.

$  aws s3api get-bucket-versioning  --bucket s3-jeeva-test-bucket
{
    "Status": "Enabled"
}

aws s3 cp --recursive --include '*.tif' --exclude '*NP.tif' s3://s3usw2appphcstaging-turing-b001/ANCHOR/ s3://s3usw2phcdatatouringimagingsb001/ANCHOR/

aws s3 cp --recursive --include '*.tif' --exclude '*NP.tif' s3://s3usw2appphcstaging-turing-b001/MARINA/ s3://s3usw2phcdatatouringimagingsb001/MARINA/