Server-side encryption
In this scenario, you will enable bucket encryption. As a symmetric encryption key, you will use a Yandex Key Management Service key. This key will encrypt all new bucket objects with envelope encryption.
To work with objects in an encrypted bucket, a user or service account must have the following roles for the encryption key in addition to the storage.configurer
role:
kms.keys.encrypter
: To read the key, encrypt, and upload objects.kms.keys.decrypter
: To read the key, decrypt, and download objects.kms.keys.encrypterDecrypter
: Includes thekms.keys.encrypter
andkms.keys.decrypter
permissions.
For more information, see Key Management Service service roles.
To enable server-side bucket encryption:
If you no longer need to encrypt new bucket objects, disable encryption.
Prepare your cloud
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The cost of maintaining a bucket with encryption includes:
- Fee for storing data in a bucket (see Object Storage pricing).
- Fee for operations with data (see Object Storage pricing).
- Fee for using KMS keys (see Key Management Service pricing).
Create a bucket
You can create a new bucket or use an existing one. To create a bucket, run:
-
In the management console
, select the folder you want to create a bucket in. -
In the list of services, select Object Storage.
-
Click Create bucket.
-
In the ** Name** field, enter a name for the bucket.
The name must meet the following requirements:
- The name must be from 3 to 63 characters long.
- The name may contain lowercase Latin letters, numbers, hyphens, and periods.
- The first and last characters must be letters or numbers.
- The characters to the right and left of the period must be letters or numbers.
- The name must not look like an IP address, e.g.,
10.1.3.9
.
-
Specify the maximum size of the bucket in GB.
-
In the Object read access, Object listing access, and Read access to settings fields, select Restricted.
-
Click Create bucket.
-
If you do not have the AWS CLI yet, install and configure it.
-
Run this command:
aws s3 mb s3://<bucket_name> --endpoint-url=https://storage.yandexcloud.net
Result:
make_bucket: <bucket_name>
Note
Terraform uses a service account to interact with Object Storage. Assign to the service account the required role, e.g., storage.admin
, for the folder where you are going to create resources.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Describe the resources in the configuration file. In this scenario, the parameters are specified under
locals
:locals { cloud_id = "<cloud_ID>" folder_id = "<folder_ID>" oauth = "<OAuth>" zone = "ru-central1-a" sa_name = "new-buckets-account" sa_desc = "Account for managing Object Storage buckets" sa_key_desc = "Static key for ${local.sa_name}" bucket_name = "Bucket name" # Name of the bucket you are creating. If you do not specify a bucket name for the `yandex_storage_bucket` resource, the name will be generated automatically. } terraform { required_providers { yandex = { source = "yandex-cloud/yandex" } } } provider "yandex" { token = local.oauth cloud_id = local.cloud_id folder_id = local.folder_id zone = local.zone } resource "yandex_iam_service_account" "buckets-account" { name = local.sa_name description = local.sa_desc } resource "yandex_resourcemanager_folder_iam_member" "buckets-account-role" { folder_id = local.folder_id role = "editor" member = "serviceAccount:${yandex_iam_service_account.buckets-account.id}" } resource "yandex_iam_service_account_static_access_key" "buckets-account-key" { service_account_id = "${yandex_iam_service_account.buckets-account.id}" description = local.sa_key_desc } resource "yandex_storage_bucket" "test" { bucket = local.bucket_name access_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.access_key}" secret_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.secret_key}" }
For more information about the resources you can create with Terraform
, see the provider documentation . -
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources.
After the command is executed, Terraform updates or creates the following resources in the specified folder:
new-buckets-account
service account.- The
editor
role for thenew-buckets-account
service account. - Static key for the service account.
- Bucket.
You can check the new resources using the management console
.
-
Create a key
Create a new key or use an existing one. To create a key:
-
In the management console
, select the folder you want to create a key in. -
In the list of services, select Key Management Service.
-
Click Create key.
-
In the window that opens:
- In the Name field, specify
bucket-key
. - In the Encryption algorithm field, select
AES-256
. - In the Rotation period, days field, set the rotation period to
7 days
. - Click Create.
- In the Name field, specify
The key is created together with its first version: click the key in the list to open a page with its attributes.
Run this command:
yc kms symmetric-key create \
--name bucket-key \
--default-algorithm aes-256 \
--rotation-period 168h
Where:
-
--name
: Key name. -
--default-algorithm
: Encryption algorithm:aes-128
,aes-192
, oraes-256
. -
--rotation-period
: Key rotation period. The value is set in hours, minutes, and seconds and cannot be less than 24 hours, e.g.,--rotation-period 27h14m27s
.To create a key without automatic rotation, do not specify the
--rotation-period
parameter.
The key is created along with its first version. It is specified in the primary_version
field.
-
Describe the resources in the configuration file. In this scenario, the parameters are specified under
locals
:locals { cloud_id = "<cloud_ID>" folder_id = "<folder_ID>" oauth = "<OAuth>" zone = "ru-central1-a" sa_name = "new-buckets-account" sa_desc = "Account for managing Object Storage buckets" sa_key_desc = "Static key for ${local.sa_name}" key_name = "bucket-key" # KMS key name key_desc = "Bucket encryption key" bucket_name = "Bucket name" } terraform { required_providers { yandex = { source = "yandex-cloud/yandex" } } } provider "yandex" { token = local.oauth cloud_id = local.cloud_id folder_id = local.folder_id zone = local.zone } resource "yandex_iam_service_account" "buckets-account" { name = local.sa_name description = local.sa_desc } resource "yandex_resourcemanager_folder_iam_member" "buckets-account-role" { folder_id = local.folder_id role = "editor" member = "serviceAccount:${yandex_iam_service_account.buckets-account.id}" } resource "yandex_iam_service_account_static_access_key" "buckets-account-key" { service_account_id = "${yandex_iam_service_account.buckets-account.id}" description = local.sa_key_desc } resource "yandex_kms_symmetric_key" "key-a" { name = local.key_name description = local.key_desc default_algorithm = "AES_256" rotation_period = "168h" } resource "yandex_storage_bucket" "test" { bucket = local.bucket_name access_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.access_key}" secret_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.secret_key}" }
-
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources.
After the command is executed, Terraform updates or creates the following resources in the specified folder:
new-buckets-account
service account.- The
editor
role for thenew-buckets-account
service account. - Static key for the service account.
- KMS key named
bucket-key
. - Bucket.
You can check the new resources using the management console
.
-
Use the create method for the SymmetricKey
resource.
Enable encryption
To enable bucket encryption with a KMS key:
- In the management console
, select the folder the bucket is in. - In the list of services, select Object Storage.
- Select the previously created bucket.
- In the left-hand panel, select Security.
- Open the Encryption tab.
- In the KMS Key field, select
bucket-key
. - Click Save.
Run this command:
aws s3api put-bucket-encryption \
--bucket <bucket_name> \
--endpoint-url=https://storage.yandexcloud.net \
--server-side-encryption-configuration '{
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "<KMS_key_ID>"
},
"BucketKeyEnabled": true
}
]
}'
-
Describe the resources in the configuration file. In this scenario, the parameters are specified under
locals
:locals { cloud_id = "<cloud_ID>" folder_id = "<folder_ID>" oauth = "<OAuth>" zone = "ru-central1-a" sa_name = "new-buckets-account" sa_desc = "Account for managing Object Storage buckets" sa_key_desc = "Static key for ${local.sa_name}" key_name = "bucket-key" # KMS key name key_desc = "Bucket encryption key" bucket_name = "Bucket name" # Bucket name. } terraform { required_providers { yandex = { source = "yandex-cloud/yandex" } } } provider "yandex" { token = local.oauth cloud_id = local.cloud_id folder_id = local.folder_id zone = local.zone } resource "yandex_iam_service_account" "buckets-account" { name = local.sa_name description = local.sa_desc } resource "yandex_resourcemanager_folder_iam_member" "buckets-account-role" { folder_id = local.folder_id role = "editor" member = "serviceAccount:${yandex_iam_service_account.buckets-account.id}" } resource "yandex_iam_service_account_static_access_key" "buckets-account-key" { service_account_id = "${yandex_iam_service_account.buckets-account.id}" description = local.sa_key_desc } resource "yandex_kms_symmetric_key" "key-a" { name = local.key_name description = local.key_desc default_algorithm = "AES_256" rotation_period = "168h" } resource "yandex_storage_bucket" "test" { bucket = local.bucket_name access_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.access_key}" secret_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.secret_key}" server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { kms_master_key_id = yandex_kms_symmetric_key.key-a.id sse_algorithm = "aws:kms" } } } }
-
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources.
After the command is executed, Terraform updates or creates the following resources in the specified folder:
new-buckets-account
service account.- The
editor
role for thenew-buckets-account
service account. - Static key for the service account.
- KMS key named
bucket-key
. - Bucket with encryption.
You can check the new resources using the management console
.
-
Now all new objects in the bucket will be encrypted with bucket-key
.
Disable encryption
If you no longer need to encrypt new bucket objects, disable encryption.
Alert
After you disable bucket encryption, previously uploaded objects will be stored in encrypted form. Data in Object Storage is encrypted using envelope encryption. Deleting a key is the same as destroying all data encrypted with that key.
- In the management console
, select the folder the bucket is in. - In the list of services, select Object Storage.
- Select the previously created bucket.
- In the left-hand panel, select Security.
- Open the Encryption tab.
- In the KMS Key field, select
Not selected
. - Click Save.
Run this command:
aws s3api delete-bucket-encryption \
--bucket <bucket_name> \
--endpoint-url=https://storage.yandexcloud.net
-
Describe the resources in the configuration file. To disable encryption, delete or comment out the
server_side_encryption_configuration
section for theyandex_storage_bucket
resource:locals { cloud_id = "<cloud_ID>" folder_id = "<folder_ID>" oauth = "<OAuth>" zone = "ru-central1-a" sa_name = "new-buckets-account" sa_desc = "Account for managing Object Storage buckets" sa_key_desc = "Static key for ${local.sa_name}" key_name = "bucket-key" key_desc = "Bucket encryption key" bucket_name = "Bucket name" } terraform { required_providers { yandex = { source = "yandex-cloud/yandex" } } } provider "yandex" { token = local.oauth cloud_id = local.cloud_id folder_id = local.folder_id zone = local.zone } resource "yandex_iam_service_account" "buckets-account" { name = local.sa_name description = local.sa_desc } resource "yandex_resourcemanager_folder_iam_member" "buckets-account-role" { folder_id = local.folder_id role = "editor" member = "serviceAccount:${yandex_iam_service_account.buckets-account.id}" } resource "yandex_iam_service_account_static_access_key" "buckets-account-key" { service_account_id = "${yandex_iam_service_account.buckets-account.id}" description = local.sa_key_desc } resource "yandex_kms_symmetric_key" "key-a" { name = local.key_name description = local.key_desc default_algorithm = "AES_256" rotation_period = "168h" } resource "yandex_storage_bucket" "test" { bucket = local.bucket_name access_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.access_key}" secret_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.secret_key}" /* server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { kms_master_key_id = yandex_kms_symmetric_key.key-a.id sse_algorithm = "aws:kms" } } } */ }
-
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm that you want to update the resources.
After the command is executed, Terraform updates the following resources in the specified folder:
new-buckets-account
service account.- The
editor
role for thenew-buckets-account
service account. - Static key for the service account.
- KMS key named
bucket-key
. - Bucket.
-
This will disable bucket encryption in the specified folder. You can check the resource update and configuration using the management console