问题描述
我如何能够根据条件禁用或启用 S3 存储桶上的加密(AES256)?
TestBucket:
Type: AWS::S3::Bucket
DependsOn: TestSnsTopicPolicy
Properties:
BucketName: !Ref TestBucket
BucketEncryption:
!If
- **conditionForEnableOrdisableEncryption**
-
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
- !Ref "AWS::Novalue"
Tags:
- Key: "EnvironmentName"
Value: !Ref EnvironmentName
- Key: "ProjectName"
Value: !Ref ProjectName
ForceEncryption:
!If
- **conditionForEnableOrdisableEncryption**
-
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref TestBucket
PolicyDocument:
Version: "2008-10-17"
Statement:
- Sid: DenyUnEncryptedobjectUploads
Effect: Deny
Principal: "*"
Action:
- s3:PutObject
Resource:
- !Join ["",["arn:aws:s3:::",!Ref TestBucket,"/*"]]
Condition:
StringNotEquals:
"s3:x-amz-server-side-encryption":
- "AES256"
DependsOn: TestBucket
- !Ref "AWS::Novalue"
请参考上面的代码片段。我收到错误为“无效的模板资源属性‘Fn::If’”
解决方法
您可以在模板中创建 conditions 部分。例如:
Parameters:
EnableEncryption:
Type: String
Default: false
AllowedValues: [true,false]
Conditions:
ShouldEnableEncryption:
!Equals [!Ref EnableEncryption,true]
Resources:
TestBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Ref TestBucketName
BucketEncryption:
!If
- ShouldEnableEncryption
-
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
- !Ref "AWS::NoValue"
Tags:
- Key: "EnvironmentName"
Value: !Ref EnvironmentName
- Key: "ProjectName"
Value: !Ref ProjectName
ForceEncryption:
Type: AWS::S3::BucketPolicy
Condition: ShouldEnableEncryption
Properties:
Bucket: !Ref TestBucket
PolicyDocument:
Version: "2008-10-17"
Statement:
- Sid: DenyUnEncryptedObjectUploads
Effect: Deny
Principal: "*"
Action:
- s3:PutObject
Resource:
- !Join ["",["arn:aws:s3:::",!Ref TestBucket,"/*"]]
Condition:
StringNotEquals:
"s3:x-amz-server-side-encryption":
- "AES256"