forked from awsdocs/aws-doc-sdk-examples
/
s3_require_server_encryption.go
102 lines (88 loc) · 3.25 KB
/
s3_require_server_encryption.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
// snippet-comment:[These are tags for the AWS doc team's sample catalog. Do not remove.]
// snippet-sourceauthor:[Doug-AWS]
// snippet-sourcedescription:[Adds a policy to an S3 bucket.]
// snippet-keyword:[Amazon Simple Storage Service]
// snippet-keyword:[Amazon S3]
// snippet-keyword:[PutBucketPolicy function]
// snippet-keyword:[Go]
// snippet-sourcesyntax:[go]
// snippet-service:[s3]
// snippet-keyword:[Code Sample]
// snippet-sourcetype:[full-example]
// snippet-sourcedate:[2018-03-16]
/*
Copyright 2010-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
This file is licensed under the Apache License, Version 2.0 (the "License").
You may not use this file except in compliance with the License. A copy of
the License is located at
http://aws.amazon.com/apache2.0/
This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
CONDITIONS OF ANY KIND, either express or implied. See the License for the
specific language governing permissions and limitations under the License.
*/
package main
import (
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/s3"
"fmt"
"os"
"encoding/json"
)
func main() {
bucket := "myBucket"
// Initialize a session that the SDK uses to load
// credentials from the shared credentials file ~/.aws/credentials
// and the region from the shard configuration file ~/.aws/config.
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
svc := s3.New(sess)
PolicyDoc := map[string]interface{}{
"Version": "2012-10-17",
"Statement": []map[string]interface{}{
{
"Sid": "DenyIncorrectEncryptionHeader",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::" + bucket + "/*",
"Condition": map[string]interface{}{
"StringNotEquals": map[string]interface{}{
"s3:x-amz-server-side-encryption": "aws:kms",
},
},
},
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::" + bucket + "/*",
"Condition": map[string]interface{}{
"Null": map[string]interface{}{
"s3:x-amz-server-side-encryption": "true",
},
},
},
},
}
// Marshal the policy into a JSON value so that it can be sent to S3.
policy, err := json.Marshal(PolicyDoc)
if err != nil {
fmt.Println("Error marshalling policy:")
fmt.Println(err.Error())
os.Exit(1)
}
input := &s3.PutBucketPolicyInput{
Bucket: aws.String(bucket),
Policy: aws.String(string(policy)),
}
_, err = svc.PutBucketPolicy(input)
if err != nil {
fmt.Println("Got an error adding policy to bucket " + bucket + ":")
fmt.Println(err.Error())
os.Exit(1)
}
fmt.Println("Set policy for " + bucket)
}