Skip to content

Commit

Permalink
temp comment out
Browse files Browse the repository at this point in the history
  • Loading branch information
paulineribeyre committed Jan 15, 2025
1 parent 5f6225b commit 29bd0ea
Showing 1 changed file with 39 additions and 38 deletions.
77 changes: 39 additions & 38 deletions gen3workflow/aws_utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -101,44 +101,45 @@ def create_user_bucket(user_id: str) -> Tuple[str, str, str]:
kms_client.create_alias(AliasName=kms_key_alias, TargetKeyId=kms_key_arn)
logger.debug(f"Created KMS key alias '{kms_key_alias}'")

logger.debug(f"Setting KMS encryption on bucket '{user_bucket_name}'")
s3_client.put_bucket_encryption(
Bucket=user_bucket_name,
ServerSideEncryptionConfiguration={
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": kms_key_arn,
},
"BucketKeyEnabled": True,
},
],
},
)

logger.debug("Enforcing KMS encryption through bucket policy")
s3_client.put_bucket_policy(
Bucket=user_bucket_name,
Policy=f"""{{
"Version": "2012-10-17",
"Statement": [
{{
"Sid": "RequireKMSEncryption",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{user_bucket_name}/*",
"Condition": {{
"StringNotLikeIfExists": {{
"s3:x-amz-server-side-encryption-aws-kms-key-id": "{kms_key_arn}"
}}
}}
}}
]
}}
""",
)
# TODO enable when Funnel workers can push with KMS key
# logger.debug(f"Setting KMS encryption on bucket '{user_bucket_name}'")
# s3_client.put_bucket_encryption(
# Bucket=user_bucket_name,
# ServerSideEncryptionConfiguration={
# "Rules": [
# {
# "ApplyServerSideEncryptionByDefault": {
# "SSEAlgorithm": "aws:kms",
# "KMSMasterKeyID": kms_key_arn,
# },
# "BucketKeyEnabled": True,
# },
# ],
# },
# )

# logger.debug("Enforcing KMS encryption through bucket policy")
# s3_client.put_bucket_policy(
# Bucket=user_bucket_name,
# Policy=f"""{{
# "Version": "2012-10-17",
# "Statement": [
# {{
# "Sid": "RequireKMSEncryption",
# "Effect": "Deny",
# "Principal": "*",
# "Action": "s3:PutObject",
# "Resource": "arn:aws:s3:::{user_bucket_name}/*",
# "Condition": {{
# "StringNotLikeIfExists": {{
# "s3:x-amz-server-side-encryption-aws-kms-key-id": "{kms_key_arn}"
# }}
# }}
# }}
# ]
# }}
# """,
# )

expiration_days = config["S3_OBJECTS_EXPIRATION_DAYS"]
logger.debug(f"Setting bucket objects expiration to {expiration_days} days")
Expand Down

0 comments on commit 29bd0ea

Please sign in to comment.