Skip to content

Resource: awsS3BucketServerSideEncryptionConfiguration

Provides a S3 bucket server-side encryption configuration resource.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsKmsKeyMykey = new aws.kmsKey.KmsKey(this, "mykey", {
  deletionWindowInDays: 10,
  description: "This key is used to encrypt bucket objects",
});
const awsS3BucketMybucket = new aws.s3Bucket.S3Bucket(this, "mybucket", {
  bucket: "mybucket",
});
new aws.s3BucketServerSideEncryptionConfiguration.S3BucketServerSideEncryptionConfigurationA(
  this,
  "example",
  {
    bucket: awsS3BucketMybucket.id,
    rule: [
      {
        applyServerSideEncryptionByDefault: {
          kmsMasterKeyId: awsKmsKeyMykey.arn,
          sseAlgorithm: "aws:kms",
        },
      },
    ],
  }
);

Argument Reference

The following arguments are supported:

  • bucket - (Required, Forces new resource) ID (name) of the bucket.
  • expectedBucketOwner - (Optional, Forces new resource) Account ID of the expected bucket owner.
  • rule - (Required) Set of server-side encryption configuration rules. See below. Currently, only a single rule is supported.

rule

The rule configuration block supports the following arguments:

  • applyServerSideEncryptionByDefault - (Optional) Single object for setting server-side encryption by default. See below.
  • bucketKeyEnabled - (Optional) Whether or not to use Amazon S3 Bucket Keys for SSE-KMS.

applyServerSideEncryptionByDefault

The applyServerSideEncryptionByDefault configuration block supports the following arguments:

  • sseAlgorithm - (Required) Server-side encryption algorithm to use. Valid values are aes256 and aws:kms
  • kmsMasterKeyId - (Optional) AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sseAlgorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sseAlgorithm is aws:kms.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The bucket or bucket and expectedBucketOwner separated by a comma (,) if the latter is provided.

Import

S3 bucket server-side encryption configuration can be imported in one of two ways.

If the owner (account ID) of the source bucket is the same account used to configure the Terraform AWS Provider, the S3 server-side encryption configuration resource should be imported using the bucket e.g.,

$ terraform import aws_s3_bucket_server_side_encryption_configuration.example bucket-name

If the owner (account ID) of the source bucket differs from the account used to configure the Terraform AWS Provider, the S3 bucket server-side encryption configuration resource should be imported using the bucket and expectedBucketOwner separated by a comma (,) e.g.,

$ terraform import aws_s3_bucket_server_side_encryption_configuration.example bucket-name,123456789012