How to automatically enforce default encryption on newly S3 Bucket using terraform through AWS Lambda, SNS, Cloudwatch.
One of the main super important thing when you dive in Cloud world it’s paying huge attention to secure and monitor your infrastructure, else someday you could wake up with a bad surprise.
In this new post on AWS World, I will describe to you how you could simply create an autonomous system that will enforce default KMS encryption on all newly created buckets and send notifications. As usual in my post, everything will be implemented via Terraform code. I strongly recommend that you avoid working directly on the console in Production, get into the habit of doing everything via code (Cloudformation ou Terraform)
Step 1: Write the Python code of the Lambda function that will enforce encryption (enforce_bucket_encryption.tf)
The next steps below will concern only terraform code.
Step 2: Declare all variables (var.tf)
Step 3: Create a policy document for lambda function (policy_doc.tf)
Step 4: Create policy an attach to a role (iam_policies.tf)
Step 5: Create a lambda function and its role
I did not describe the steps on how to deploy the lambda function code artifact on S3 because it’s not the aim of this post. (Maybe in the future I will write a specific post that will describe how to lambda artifact on S3 through a CI/CD pipeline with Gitlab).
In our example have deployed the lamda code artifact on existing Bucket with the name lambdacode.zip and its python dependencies in another zip file named libs.zip
Step 6: Create Cloudwatch Event Rule
The code below creates a Cloudwatch Event that will trap all “CreateBucket” event and then trigger the Lambda and SNS.
Step 7: Create Cloudwatch Event target for executing Lambda
This code creates the Cloudwatch Event target that will process Lambda
Step 8: Create Cloudwatch Event target for sending SNS Notifications
This code creates the Cloudwatch Event target that will send Notification. It’s almost the same as the previous step, just the arn of the target that changes.
Step 9: Deploy the code.
Finally, you just need to execute the terraform code in order to check and apply modifications.
Enjoy your work…