如何解决如何根据条件在 S3 上启用/禁用加密
我如何能够根据条件禁用或启用 S3 存储桶上的加密(AES256)?
TestBucket:
Type: AWS::S3::Bucket
DependsOn: TestSnsTopicPolicy
Properties:
BucketName: !Ref TestBucket
BucketEncryption:
!If
- **conditionForEnableOrdisableEncryption**
-
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
- !Ref "AWS::Novalue"
Tags:
- Key: "EnvironmentName"
Value: !Ref EnvironmentName
- Key: "ProjectName"
Value: !Ref ProjectName
ForceEncryption:
!If
- **conditionForEnableOrdisableEncryption**
-
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref TestBucket
PolicyDocument:
Version: "2008-10-17"
Statement:
- Sid: DenyUnEncryptedobjectUploads
Effect: Deny
Principal: "*"
Action:
- s3:PutObject
Resource:
- !Join ["",["arn:aws:s3:::",!Ref TestBucket,"/*"]]
Condition:
StringNotEquals:
"s3:x-amz-server-side-encryption":
- "AES256"
DependsOn: TestBucket
- !Ref "AWS::Novalue"
请参考上面的代码片段。我收到错误为“无效的模板资源属性‘Fn::If’”
解决方法
您可以在模板中创建 conditions 部分。例如:
Parameters:
EnableEncryption:
Type: String
Default: false
AllowedValues: [true,false]
Conditions:
ShouldEnableEncryption:
!Equals [!Ref EnableEncryption,true]
Resources:
TestBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Ref TestBucketName
BucketEncryption:
!If
- ShouldEnableEncryption
-
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
- !Ref "AWS::NoValue"
Tags:
- Key: "EnvironmentName"
Value: !Ref EnvironmentName
- Key: "ProjectName"
Value: !Ref ProjectName
ForceEncryption:
Type: AWS::S3::BucketPolicy
Condition: ShouldEnableEncryption
Properties:
Bucket: !Ref TestBucket
PolicyDocument:
Version: "2008-10-17"
Statement:
- Sid: DenyUnEncryptedObjectUploads
Effect: Deny
Principal: "*"
Action:
- s3:PutObject
Resource:
- !Join ["",["arn:aws:s3:::",!Ref TestBucket,"/*"]]
Condition:
StringNotEquals:
"s3:x-amz-server-side-encryption":
- "AES256"
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。