Server-side encryption for an Object Storage bucket
In this scenario, you will enable bucket encryption. As a symmetric encryption key, you will use a Yandex Key Management Service key. This key will encrypt all new bucket objects with envelope encryption.
To work with objects in an encrypted bucket, a user or service account must have the following roles for the encryption key in addition to the storage.configurer role:
kms.keys.encrypter: To read the key, encrypt and upload objects.kms.keys.decrypter: To read the key, decrypt and download objects.kms.keys.encrypterDecrypter: This role includes thekms.keys.encrypterandkms.keys.decrypterpermissions.
For more information, see Key Management Service service roles.
To enable server-side bucket encryption:
If you no longer need to encrypt new bucket objects, disable encryption.
Get your cloud ready
Sign up in Yandex Cloud and create a billing account:
- Navigate to the management console and log in to Yandex Cloud or register a new account.
- On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the
ACTIVEorTRIAL_ACTIVEstatus. If you do not have a billing account, create one and link a cloud to it.
If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.
Learn more about clouds and folders.
Required paid resources
The cost of maintaining a bucket with encryption includes:
- Fee for storing data in a bucket (see Object Storage pricing).
- Fee for data operations (see Object Storage pricing).
- Fee for using KMS keys (see Key Management Service pricing).
Create a bucket
You can create a new bucket or use an existing one. To create a bucket, run:
-
In the management console, select the folder where you want to create a bucket.
-
From the list of services, select Object Storage.
-
Click Create bucket.
-
In the ** Name** field, enter a name for the bucket.
The name must meet the following requirements:
- The name must be from 3 to 63 characters long.
- The name may contain lowercase Latin letters, numbers, hyphens, and periods.
- The first and last characters must be letters or numbers.
- The characters to the right and left of the period must be letters or numbers.
- The name must not look like an IP address, e.g.,
10.1.3.9.
-
Specify the maximum size of the bucket in GB.
-
In the Object read access, Object listing access, and Read access to settings fields, select Restricted.
-
Click Create bucket.
-
If you do not have the AWS CLI yet, install and configure it.
-
Run this command:
aws s3 mb s3://<bucket_name> --endpoint-url=https://storage.yandexcloud.netResult:
make_bucket: <bucket_name>
Note
Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin, for the folder where you are going to create resources.
If you do not have Terraform yet, install it and configure its Yandex Cloud provider.
-
Describe the resources in the configuration file. In this scenario, specify the parameters under
locals:locals { cloud_id = "<cloud_ID>" folder_id = "<folder_ID>" oauth = "<OAuth>" zone = "ru-central1-a" sa_name = "new-buckets-account" sa_desc = "Account for managing Object Storage buckets" sa_key_desc = "Static key for ${local.sa_name}" bucket_name = "Bucket name" # Name of the bucket you are creating. If you do not specify a bucket name for the `yandex_storage_bucket` resource, the name will be generated automatically. } terraform { required_providers { yandex = { source = "yandex-cloud/yandex" } } } provider "yandex" { token = local.oauth cloud_id = local.cloud_id folder_id = local.folder_id zone = local.zone } resource "yandex_iam_service_account" "buckets-account" { name = local.sa_name description = local.sa_desc } resource "yandex_resourcemanager_folder_iam_member" "buckets-account-role" { folder_id = local.folder_id role = "editor" member = "serviceAccount:${yandex_iam_service_account.buckets-account.id}" } resource "yandex_iam_service_account_static_access_key" "buckets-account-key" { service_account_id = "${yandex_iam_service_account.buckets-account.id}" description = local.sa_key_desc } resource "yandex_storage_bucket" "test" { bucket = local.bucket_name access_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.access_key}" secret_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.secret_key}" }For more information about the resources you can create with Terraform, see the provider documentation.
-
Make sure the configuration files are correct.
-
In the command line, navigate to the directory where you created the configuration file.
-
Run a check using this command:
terraform planIf you described the configuration correctly, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy the cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply -
Confirm creating the resources.
After the command is executed, Terraform updates or creates the following resources in the specified folder:
new-buckets-accountservice account.- The
editorrole for thenew-buckets-accountservice account. - Static key for the service account.
- Bucket.
You can check the new resources using the management console.
-
Create a key
Create a new key or use an existing one. To create a key:
-
In the management console, select the folder you want to create a key in.
-
From the list of services, select Key Management Service.
-
Click Create key.
-
In the window that opens:
- In the Name field, specify
bucket-key. - In the Encryption algorithm field, select
AES-256. - In the Rotation period, days field, set the rotation period to
7 days. - Click Create.
- In the Name field, specify
The key is created together with its first version: click the key in the list to open a page with its attributes.
Run this command:
yc kms symmetric-key create \
--name bucket-key \
--default-algorithm aes-256 \
--rotation-period 168h
Where:
-
--name: Key name. -
--default-algorithm: Encryption algorithm:aes-128,aes-192, oraes-256. -
--rotation-period: Key rotation period. The value is set in hours, minutes, and seconds and cannot be less than 24 hours, e.g.,--rotation-period 27h14m27s.To create a key without automatic rotation, do not specify the
--rotation-periodparameter.
The key is created along with its first version. It is specified in the primary_version field.
-
Describe the resources in the configuration file. In this scenario, specify the parameters under
locals:locals { cloud_id = "<cloud_ID>" folder_id = "<folder_ID>" oauth = "<OAuth>" zone = "ru-central1-a" sa_name = "new-buckets-account" sa_desc = "Account for managing Object Storage buckets" sa_key_desc = "Static key for ${local.sa_name}" key_name = "bucket-key" # KMS key name key_desc = "Bucket encryption key" bucket_name = "Bucket name" } terraform { required_providers { yandex = { source = "yandex-cloud/yandex" } } } provider "yandex" { token = local.oauth cloud_id = local.cloud_id folder_id = local.folder_id zone = local.zone } resource "yandex_iam_service_account" "buckets-account" { name = local.sa_name description = local.sa_desc } resource "yandex_resourcemanager_folder_iam_member" "buckets-account-role" { folder_id = local.folder_id role = "editor" member = "serviceAccount:${yandex_iam_service_account.buckets-account.id}" } resource "yandex_iam_service_account_static_access_key" "buckets-account-key" { service_account_id = "${yandex_iam_service_account.buckets-account.id}" description = local.sa_key_desc } resource "yandex_kms_symmetric_key" "key-a" { name = local.key_name description = local.key_desc default_algorithm = "AES_256" rotation_period = "168h" } resource "yandex_storage_bucket" "test" { bucket = local.bucket_name access_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.access_key}" secret_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.secret_key}" } -
Make sure the configuration files are correct.
-
In the command line, navigate to the directory where you created the configuration file.
-
Run a check using this command:
terraform planIf you described the configuration correctly, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy the cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply -
Confirm creating the resources.
After the command is executed, Terraform updates or creates the following resources in the specified folder:
new-buckets-accountservice account.- The
editorrole for thenew-buckets-accountservice account. - Static key for the service account.
- KMS key named
bucket-key. - Bucket.
You can check the new resources using the management console.
-
Use the create method for the SymmetricKey resource.
Enable encryption
To enable bucket encryption with a KMS key:
- In the management console, select the folder the bucket is in.
- From the list of services, select Object Storage.
- Select the previously created bucket.
- In the left-hand panel, select Security.
- Open the Encryption tab.
- In the KMS Key field, select
bucket-key. - Click Save.
Run this command:
aws s3api put-bucket-encryption \
--bucket <bucket_name> \
--endpoint-url=https://storage.yandexcloud.net \
--server-side-encryption-configuration '{
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "<KMS_key_ID>"
},
"BucketKeyEnabled": true
}
]
}'
-
Describe the resources in the configuration file. In this scenario, specify the parameters under
locals:locals { cloud_id = "<cloud_ID>" folder_id = "<folder_ID>" oauth = "<OAuth>" zone = "ru-central1-a" sa_name = "new-buckets-account" sa_desc = "Account for managing Object Storage buckets" sa_key_desc = "Static key for ${local.sa_name}" key_name = "bucket-key" # KMS key name key_desc = "Bucket encryption key" bucket_name = "Bucket name" # Bucket name. } terraform { required_providers { yandex = { source = "yandex-cloud/yandex" } } } provider "yandex" { token = local.oauth cloud_id = local.cloud_id folder_id = local.folder_id zone = local.zone } resource "yandex_iam_service_account" "buckets-account" { name = local.sa_name description = local.sa_desc } resource "yandex_resourcemanager_folder_iam_member" "buckets-account-role" { folder_id = local.folder_id role = "editor" member = "serviceAccount:${yandex_iam_service_account.buckets-account.id}" } resource "yandex_iam_service_account_static_access_key" "buckets-account-key" { service_account_id = "${yandex_iam_service_account.buckets-account.id}" description = local.sa_key_desc } resource "yandex_kms_symmetric_key" "key-a" { name = local.key_name description = local.key_desc default_algorithm = "AES_256" rotation_period = "168h" } resource "yandex_storage_bucket" "test" { bucket = local.bucket_name access_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.access_key}" secret_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.secret_key}" server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { kms_master_key_id = yandex_kms_symmetric_key.key-a.id sse_algorithm = "aws:kms" } } } } -
Make sure the configuration files are correct.
-
In the command line, navigate to the directory where you created the configuration file.
-
Run a check using this command:
terraform planIf you described the configuration correctly, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy the cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply -
Confirm creating the resources.
After the command is executed, Terraform updates or creates the following resources in the specified folder:
new-buckets-accountservice account.- The
editorrole for thenew-buckets-accountservice account. - Static key for the service account.
- KMS key named
bucket-key. - Bucket with encryption.
You can check the new resources using the management console.
-
Now all new objects in the bucket will be encrypted with bucket-key.
Disable encryption
If you no longer need to encrypt new bucket objects, disable encryption.
Alert
After you disable bucket encryption, previously uploaded objects will be stored in encrypted form. Data in Object Storage is encrypted using envelope encryption. Deleting a key is the same as deleting all data encrypted with that key.
- In the management console, select the folder the bucket is in.
- From the list of services, select Object Storage.
- Select the previously created bucket.
- In the left-hand panel, select Security.
- Open the Encryption tab.
- In the KMS Key field, select
Not selected. - Click Save.
Run this command:
aws s3api delete-bucket-encryption \
--bucket <bucket_name> \
--endpoint-url=https://storage.yandexcloud.net
-
Describe the resources in the configuration file. To disable encryption, delete or comment out the
server_side_encryption_configurationsection for theyandex_storage_bucketresource:locals { cloud_id = "<cloud_ID>" folder_id = "<folder_ID>" oauth = "<OAuth>" zone = "ru-central1-a" sa_name = "new-buckets-account" sa_desc = "Account for managing Object Storage buckets" sa_key_desc = "Static key for ${local.sa_name}" key_name = "bucket-key" key_desc = "Bucket encryption key" bucket_name = "Bucket name" } terraform { required_providers { yandex = { source = "yandex-cloud/yandex" } } } provider "yandex" { token = local.oauth cloud_id = local.cloud_id folder_id = local.folder_id zone = local.zone } resource "yandex_iam_service_account" "buckets-account" { name = local.sa_name description = local.sa_desc } resource "yandex_resourcemanager_folder_iam_member" "buckets-account-role" { folder_id = local.folder_id role = "editor" member = "serviceAccount:${yandex_iam_service_account.buckets-account.id}" } resource "yandex_iam_service_account_static_access_key" "buckets-account-key" { service_account_id = "${yandex_iam_service_account.buckets-account.id}" description = local.sa_key_desc } resource "yandex_kms_symmetric_key" "key-a" { name = local.key_name description = local.key_desc default_algorithm = "AES_256" rotation_period = "168h" } resource "yandex_storage_bucket" "test" { bucket = local.bucket_name access_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.access_key}" secret_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.secret_key}" /* server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { kms_master_key_id = yandex_kms_symmetric_key.key-a.id sse_algorithm = "aws:kms" } } } */ } -
Make sure the configuration files are correct.
-
In the command line, navigate to the directory where you created the configuration file.
-
Run a check using this command:
terraform planIf you described the configuration correctly, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy the cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply -
Confirm that you want to update the resources.
After the command is executed, Terraform updates the following resources in the specified folder:
new-buckets-accountservice account.- The
editorrole for thenew-buckets-accountservice account. - Static key for the service account.
- KMS key named
bucket-key. - Bucket.
-
This will disable bucket encryption in the specified folder. You can check the resource update and configuration using the management console.