I am a newbie to SAM (and CloudFormation) and I learned today that you can create a new bucket in adding something like this to the SAM yaml template:
Resources:
my-great-new-bucket:
Type:AWS::S3::Bucket
Does SAM offer a way to also add an already existing KMS encryption key to that newly created bucket (and to enable Bucket Key)?
With boto I would do exactly the following to achieve this:
response = client.put_bucket_encryption(Bucket= bucketName, ServerSideEncryptionConfiguration={
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": myKeyArn
},
"BucketKeyEnabled": True
}
]
})
How can i transform this operation to the SAM template?
So S3::Bucket is not a SAM resource but a normal CloudFormation resource.
You can achieve this by changing KMS-KEY-ARN to the Key ID of your Key.
Resources:
EncryptedS3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- BucketKeyEnabled: true
ServerSideEncryptionByDefault:
SSEAlgorithm: 'aws:kms'
KMSMasterKeyID: KMS-KEY-ARN