From d521b6c42aaa87246d3e29db67f8a6b66ae277cb Mon Sep 17 00:00:00 2001 From: Stanislav Yotov <29090864+svyotov@users.noreply.github.com> Date: Tue, 17 Sep 2019 12:24:26 +0100 Subject: [PATCH 1/3] support encryption and versioning for S3 --- s3/config.go | 15 +++++++++++++++ s3/location.go | 44 +++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 58 insertions(+), 1 deletion(-) diff --git a/s3/config.go b/s3/config.go index 2d6baf92..9a80b9cd 100644 --- a/s3/config.go +++ b/s3/config.go @@ -50,6 +50,21 @@ const ( // Its default value is "false", to enable set to "true". // This feature is useful for s3-compatible blob stores -- ie minio. ConfigV2Signing = "v2_signing" + + // ConfigMFADelete specifies whether MFA delete is enabled in the bucket versioning configuration. + // This element is only returned if the bucket has been configured with MFA + // delete. If the bucket has never been so configured, this element is not returned. + // By default 'Disabled' + ConfigMFADelete = "mfa_delete" + + // ConfigVersioningStatus specifies the versioning state of the bucket. By default 'Enabled' + ConfigVersioningStatus = "versioning" + + // ConfigKMSMasterKeyID specifies the KMS key ID, when ConfigKServerSideEncryption is set to KMS + ConfigKMSMasterKeyID = "kms_master_key_id" + + // ConfigServerSideEncryptionAlgorithm is the algorithm to use for encryption, by default AES256 + ConfigServerSideEncryptionAlgorithm = "server_side_encryption_algorithm" ) func init() { diff --git a/s3/location.go b/s3/location.go index 1186161b..870c35e0 100644 --- a/s3/location.go +++ b/s3/location.go @@ -21,6 +21,48 @@ type location struct { client *s3.S3 } +// ConfigureVersioning configures versioning on the S3 bucket +func (l *location) ConfigureVersioning(containerName string) error { + vc := &s3.VersioningConfiguration{} + if mfa, mfaSet := l.config.Config(ConfigMFADelete); mfaSet && mfa != "" { + vc.MFADelete = aws.String(mfa) + } else { + // by default disable MFA delete + vc.MFADelete = aws.String("Disabled") + } + if sta, staSet := l.config.Config(ConfigVersioningStatus); staSet && sta != "" { + vc.Status = aws.String(sta) + } else { + // by default enable versioning + vc.Status = aws.String("Enabled") + } + input := &s3.PutBucketVersioningInput{ + Bucket: aws.String(containerName), + VersioningConfiguration: vc, + } + _, err := l.client.PutBucketVersioning(input) + return err +} + +// ConfigureEncryption configures versioning on the S3 bucket +func (l *location) ConfigureEncryption(containerName string) error { + sseCfg := &s3.ServerSideEncryptionByDefault{} + if alg, algSet := l.config.Config(ConfigServerSideEncryptionAlgorithm); algSet && alg != "" { + sseCfg.SSEAlgorithm = aws.String(alg) + } else { + // by default use AES256 encryption + sseCfg.SSEAlgorithm = aws.String("AES256") + } + if mfa, mfaSet := l.config.Config(ConfigKMSMasterKeyID); mfaSet && mfa != "" { + sseCfg.KMSMasterKeyID = aws.String(mfa) + } + rules := []*s3.ServerSideEncryptionRule{{ApplyServerSideEncryptionByDefault: sseCfg}} + serverConfig := &s3.ServerSideEncryptionConfiguration{Rules: rules} + input := &s3.PutBucketEncryptionInput{Bucket: aws.String(containerName), ServerSideEncryptionConfiguration: serverConfig} + _, err := l.client.PutBucketEncryption(input) + return err +} + // CreateContainer creates a new container, in this case an S3 bucket. // The bare minimum needed is a container name, but there are many other // options that can be provided. @@ -34,7 +76,7 @@ func (l *location) CreateContainer(containerName string) (stow.Container, error) return nil, errors.Wrap(err, "CreateContainer, creating the bucket") } - region, _ := l.config.Config("region") + region, _ := l.config.Config(ConfigRegion) newContainer := &container{ name: containerName, From 78f3af4fc9c3a38ecd45c09bbe16241ac6498d0e Mon Sep 17 00:00:00 2001 From: Stanislav Yotov <29090864+svyotov@users.noreply.github.com> Date: Tue, 17 Sep 2019 12:36:53 +0100 Subject: [PATCH 2/3] versioning and encryption configurations --- s3/config.go | 3 ++- s3/location.go | 3 --- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/s3/config.go b/s3/config.go index 9a80b9cd..5da6d5d3 100644 --- a/s3/config.go +++ b/s3/config.go @@ -63,7 +63,8 @@ const ( // ConfigKMSMasterKeyID specifies the KMS key ID, when ConfigKServerSideEncryption is set to KMS ConfigKMSMasterKeyID = "kms_master_key_id" - // ConfigServerSideEncryptionAlgorithm is the algorithm to use for encryption, by default AES256 + // ConfigServerSideEncryptionAlgorithm is the algorithm to use for encryption (AES256 | aws:kms) + // https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-serversideencryptionbydefault.html ConfigServerSideEncryptionAlgorithm = "server_side_encryption_algorithm" ) diff --git a/s3/location.go b/s3/location.go index 870c35e0..85a0b536 100644 --- a/s3/location.go +++ b/s3/location.go @@ -49,9 +49,6 @@ func (l *location) ConfigureEncryption(containerName string) error { sseCfg := &s3.ServerSideEncryptionByDefault{} if alg, algSet := l.config.Config(ConfigServerSideEncryptionAlgorithm); algSet && alg != "" { sseCfg.SSEAlgorithm = aws.String(alg) - } else { - // by default use AES256 encryption - sseCfg.SSEAlgorithm = aws.String("AES256") } if mfa, mfaSet := l.config.Config(ConfigKMSMasterKeyID); mfaSet && mfa != "" { sseCfg.KMSMasterKeyID = aws.String(mfa) From 34176e84a166dcb5874f51dd6ad5e2ae1bfb0c79 Mon Sep 17 00:00:00 2001 From: Stanislav Yotov <29090864+svyotov@users.noreply.github.com> Date: Tue, 17 Sep 2019 12:45:37 +0100 Subject: [PATCH 3/3] mfa->kms --- s3/location.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/s3/location.go b/s3/location.go index 85a0b536..b7588356 100644 --- a/s3/location.go +++ b/s3/location.go @@ -50,8 +50,8 @@ func (l *location) ConfigureEncryption(containerName string) error { if alg, algSet := l.config.Config(ConfigServerSideEncryptionAlgorithm); algSet && alg != "" { sseCfg.SSEAlgorithm = aws.String(alg) } - if mfa, mfaSet := l.config.Config(ConfigKMSMasterKeyID); mfaSet && mfa != "" { - sseCfg.KMSMasterKeyID = aws.String(mfa) + if kms, kmsSet := l.config.Config(ConfigKMSMasterKeyID); kmsSet && kms != "" { + sseCfg.KMSMasterKeyID = aws.String(kms) } rules := []*s3.ServerSideEncryptionRule{{ApplyServerSideEncryptionByDefault: sseCfg}} serverConfig := &s3.ServerSideEncryptionConfiguration{Rules: rules}