Objects uploaded to Copilot managed S3 bucket should be encrypted

[iamhopaul123]

trafficstars

Due to some security constraint (e.g., AWS Organization SCP), any object uploaded to an S3 bucket must be encrypted. Copilot should either encrypt these objects by default or make it optional for users.

For example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "*",
            "Effect": "Deny",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": true
                },
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "aws:kms"
                }
            }
        },
        {
            "Action": "s3:*",
            "Effect": "Deny",
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}

requires the object either encrypted by AES256 or any kms key.

[flyinprogrammer]

it turns out that example SCP policy is actually very confusing, but nevertheless the issue still applies

[tobiasploetz]

I have the same issue. My company enforces a global security policy on all buckets, enabling server side encryption. Hence, Copilot fails when it needs to upload something to S3, e.g.

✘ execute svc deploy: upload deploy resources for service [...]: upload custom resources for [...]: upload custom resource "DynamicDesiredCountFunction": upload manual/scripts/custom-resources/dynamicdesiredcountfunction/acd1f00a18ceccc32a780fb208be61f3f62274d775f987fd9feec37493d9173c.zip to bucket stackset-[...]-inf-pipelinebuiltartifactbuc-fp3jkjypj66y: AccessDenied: Access Denied
        status code: 403, [...]

[suroh1994]

Has there been any progress on this topic? Our company also requires us to setup bucket encryption and object level encryption.