How to automatically enforce default encryption on newly S3 Bucket using terraform through AWS Lambda, SNS, Cloudwatch.

One of the main super important thing when you dive in Cloud world it’s paying huge attention to secure and monitor your infrastructure, else someday you could wake up with a bad surprise.

Enforce Encryption and Send SNS Notification

In this new post on AWS World, I will describe to you how you could simply create an autonomous system that will enforce default KMS encryption on all newly created buckets and send notifications. As usual in my post, everything will be implemented via Terraform code. I strongly recommend that you avoid working directly on the console in Production, get into the habit of doing everything via code (Cloudformation ou Terraform)

The next steps below will concern only terraform code.

var.tf — Contain all variables
Policydoc.tf — Contain JSON Policy Document
iampolicies.tf — Attach Policy Document to Policy

I did not describe the steps on how to deploy the lambda function code artifact on S3 because it’s not the aim of this post. (Maybe in the future I will write a specific post that will describe how to lambda artifact on S3 through a CI/CD pipeline with Gitlab).

In our example have deployed the lamda code artifact on existing Bucket with the name lambdacode.zip and its python dependencies in another zip file named libs.zip

Lambda.tf — Deploy Lambda function and requirements

The code below creates a Cloudwatch Event that will trap all “CreateBucket” event and then trigger the Lambda and SNS.

cloudwatcheventrule.tf

This code creates the Cloudwatch Event target that will process Lambda

This code creates the Cloudwatch Event target that will send Notification. It’s almost the same as the previous step, just the arn of the target that changes.

Finally, you just need to execute the terraform code in order to check and apply modifications.

Enjoy your work…

Multi Cloud (Azure/ AWS) Systems/Devops Engineer in France.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store