AWS KMS+S3 File Storage

AWS KMS+S3 is a method providing encrypted object storage.

The AWS KMS+S3 pattern involves provisioning an S3 bucket which enforces encryption at rest together with KMS.

Provision an Encrypted Bucket with Terraform

module "assets_bucket_label" {
  source    = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.3.3"
  namespace = "eg"
  stage     = "example"
  name      = "assets"
}

resource "aws_s3_bucket" "assets" {
  bucket        = "${module.assets_bucket_label.id}"
  acl           = "private"
  region        = "us-west-2"
  force_destroy = false

  versioning {
    enabled = true
  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }

  tags = "${module.assets_bucket_label.tags}"
}

In geodesic, we use this together with goofys and our s3fs wrapper scripts to mount the encrypted bucket to a local mount point inside the geodesic container. This is an awesome solution for securely storing file-based secrets (e.g. ssh master keys).