AWS KMS+S3 File Storage

AWS KMS+S3 is a method providing encrypted object storage.

The AWS KMS+S3 pattern involves provisioning an S3 bucket which enforces encryption at rest together with KMS.

Provision an Encrypted Bucket with Terraform

module "assets_bucket_label" {
  source    = "git::"
  namespace = "eg"
  stage     = "example"
  name      = "assets"

resource "aws_s3_bucket" "assets" {
  bucket        = "${}"
  acl           = "private"
  region        = "us-west-2"
  force_destroy = false

  versioning {
    enabled = true

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"

  tags = "${module.assets_bucket_label.tags}"

In geodesic, we use this together with goofys and our s3fs wrapper scripts to mount the encrypted bucket to a local mount point inside the geodesic container. This is an awesome solution for securely storing file-based secrets (e.g. ssh master keys).