Here are instructions for how to enforce AWS server-side encryption on your Amazon backup bucket:
- Select a bucket and select “Properties” from the drop-down menu:
- Select “Permissions,” then click “Edit bucket policy”:
- The policy editor will open:
- Enter a policy that will force all uploads to be encrypted. Here is an example of a policy that will force that all cloudHQ uploads to be encrypted (AWS will forbid any non-encyrpted uploads and cloudHQ will follow the rule):
{ "Version" : "2012-10-17", "Id" : "PutObjPolicy", "Statement" : [ { "Sid" : "DenyIncorrectEncryptionHeader", "Effect" : "Deny", "Principal" : "*", "Action" : "s3:PutObject", "Resource" : "arn:aws:s3:::acme-backup-bucket/*", "Condition" : { "StringNotEquals" : { "s3:x-amz-server-side-encryption" : "AES256" } } }, { "Sid" : "DenyUnEncryptedObjectUploads", "Effect" : "Deny", "Principal" : "*", "Action" : "s3:PutObject", "Resource" : "arn:aws:s3:::acme-backup-bucket/*", "Condition" : { "Null" : { "s3:x-amz-server-side-encryption" : "true" } } } ] }
IMPORTANT: Replace arn:aws:s3:::acme-backup-bucket with your bucket name