From ae51867641b384d4c2138ac0e4c0537441dfa87b Mon Sep 17 00:00:00 2001 From: Randy DeFauw Date: Wed, 30 Nov 2022 19:56:41 -0800 Subject: [PATCH 1/2] Add S3 SSE-S3 encryption by default for terraform and manifest deployment options --- iaac/terraform/aws-infra/s3/main.tf | 10 ++++++++++ tests/e2e/utils/rds-s3/auto-rds-s3-setup.py | 13 +++++++++++++ website/content/en/docs/about/security.md | 11 +++++++++++ 3 files changed, 34 insertions(+) diff --git a/iaac/terraform/aws-infra/s3/main.tf b/iaac/terraform/aws-infra/s3/main.tf index 01d00496a2..4c43dbc7f6 100644 --- a/iaac/terraform/aws-infra/s3/main.tf +++ b/iaac/terraform/aws-infra/s3/main.tf @@ -6,6 +6,16 @@ resource "aws_s3_bucket" "artifact_store" { force_destroy = var.force_destroy_bucket } +resource "aws_s3_bucket_server_side_encryption_configuration" "example" { + bucket = aws_s3_bucket.artifact_store.bucket + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } +} + resource "aws_secretsmanager_secret" "s3_secret" { name_prefix = "s3-secret-" recovery_window_in_days = var.secret_recovery_window_in_days diff --git a/tests/e2e/utils/rds-s3/auto-rds-s3-setup.py b/tests/e2e/utils/rds-s3/auto-rds-s3-setup.py index f40d75efb1..8edf184afe 100644 --- a/tests/e2e/utils/rds-s3/auto-rds-s3-setup.py +++ b/tests/e2e/utils/rds-s3/auto-rds-s3-setup.py @@ -126,6 +126,19 @@ def create_s3_bucket(s3_client): s3_client.create_bucket(**args) print("S3 bucket created!") + s3_client.put_bucket_encryption( + Bucket=S3_BUCKET_NAME, + ServerSideEncryptionConfiguration={ + 'Rules': [ + { + 'ApplyServerSideEncryptionByDefault': { + 'SSEAlgorithm': 'AES256' + } + }, + ] + } + ) + def setup_s3_secrets(secrets_manager_client): if not does_secret_already_exist(secrets_manager_client, S3_SECRET_NAME): diff --git a/website/content/en/docs/about/security.md b/website/content/en/docs/about/security.md index 1f5b688f12..6b9cb0e3fe 100644 --- a/website/content/en/docs/about/security.md +++ b/website/content/en/docs/about/security.md @@ -6,6 +6,17 @@ weight = 40 We highly recommend that you follow AWS security best practices while provisioning any AWS resources. +## Default security configuration + +### Amazon Simple Storage Service (S3) + +When you use Amazon S3 for kubeflow artifact storage, Kubeflow on AWS configures the Amazon S3 bucket to use [server-side encryption with Amazon S3-managed encryption keys](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html) (SSE-S3). If you prefer to use [server-side encryption with AWS Key Management Service](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html) (SSE-KMS), you can modify these files to specify an AWS KMS key. + +* [main.tf](https://github.com/awslabs/kubeflow-manifests/blob/main/iaac/terraform/aws-infra/s3/main.tf) for Terraform deployments +* [auto-rds-s3-setup.py](https://github.com/awslabs/kubeflow-manifests/blob/main/tests/e2e/utils/rds-s3/auto-rds-s3-setup.py) for manifest deployments + +Both SSE-S3 and SSE-KMS provide encryption of objects in the Amazon S3 bucket. You may prefer SSE-KMS if you want to separate the management of encryption keys (via AWS KMS) from management of the Amazon S3 bucket. That separation may provide a stronger security posture. In order to access and use an object in an Amazon S3 bucket, a user needs permission to read the object in the Amazon S3 bucket as well as permission to use the AWS KMS encryption key. + ## Security resources Refer to the following documents for more information: From b45ad6165aea88c80e41fa840622c77c534b7ed8 Mon Sep 17 00:00:00 2001 From: Randy DeFauw Date: Fri, 2 Dec 2022 09:04:02 -0700 Subject: [PATCH 2/2] Use better resource name for s3 encryption in terraform --- iaac/terraform/aws-infra/s3/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iaac/terraform/aws-infra/s3/main.tf b/iaac/terraform/aws-infra/s3/main.tf index 4c43dbc7f6..03852161c2 100644 --- a/iaac/terraform/aws-infra/s3/main.tf +++ b/iaac/terraform/aws-infra/s3/main.tf @@ -6,7 +6,7 @@ resource "aws_s3_bucket" "artifact_store" { force_destroy = var.force_destroy_bucket } -resource "aws_s3_bucket_server_side_encryption_configuration" "example" { +resource "aws_s3_bucket_server_side_encryption_configuration" "artifact_store_encryption" { bucket = aws_s3_bucket.artifact_store.bucket rule {