Cyberduck Mountain Duck CLI

Changes between Initial Version and Version 1 of Ticket #10488, comment 9


Ignore:
Timestamp:
Apr 14, 2019 3:32:34 PM (19 months ago)
Author:
a.cyberduc.user
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #10488, comment 9

    initial v1  
    4141The `x-amz-server-side-encryption: AES256` header is present on the root folder creation and not present on the sub-folder creation.
    4242
     43
     44
     45The IAM policy that is applied to the bucket&object path requires that **every** call to s3 that involves writing bytes to an object **must** include the "store with AES key managed by KMS" header. For testing purposes, you can:
     46
     47* create an s3 bucket
     48* apply this bucket policy:
     49{{{
     50{
     51    "Version": "2012-10-17",
     52    "Statement": [
     53        {
     54            "Sid": "DenyIncorrectEncryptionHeader",
     55            "Effect": "Deny",
     56            "Principal": {
     57                "AWS": "*"
     58            },
     59            "Action": "s3:PutObject",
     60            "Resource": "arn:aws:s3:::bucket-name-here/*",
     61            "Condition": {
     62                "StringNotEquals": {
     63                    "s3:x-amz-server-side-encryption": "AES256"
     64                }
     65            }
     66        },
     67        {
     68            "Sid": "DenyUnEncryptedObjectUploads",
     69            "Effect": "Deny",
     70            "Principal": {
     71                "AWS": "*"
     72            },
     73            "Action": "s3:PutObject",
     74            "Resource": "arn:aws:s3:::bucket-name-here/*",
     75            "Condition": {
     76                "Null": {
     77                    "s3:x-amz-server-side-encryption": "true"
     78                }
     79            }
     80        }
     81    ]
     82}
     83}}}
     84
     85to reproduce / test.
swiss made software