Server-side encryption
In this scenario, you will enable bucket encryption. As a symmetric encryption key, you will use a Yandex Key Management Service key. This key will encrypt all new bucket objects with envelope encryption.
To be able to encrypt, a bucket user must have both the storage.configurer
role and the kms.keys.encrypter
role that allows key access. To decrypt objects, the user needs the storage.configurer
and kms.keys.decrypter
roles to read the encryption key.
For more information, see Key Management Service service roles.
To enable server-side bucket encryption:
If you no longer need to encrypt new bucket objects, disable encryption.
Prepare your cloud
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The cost of maintaining a bucket with encryption includes:
- Fee for storing data in a bucket (see Object Storage pricing).
- Fee for data operations (see Object Storage pricing).
- Fee for using KMS keys (see Key Management Service pricing).
Create a bucket
You can create a new bucket or use an existing one. To create a bucket, run:
-
In the management console
, select the folder where you want to create a bucket. -
In the list of services, select Object Storage.
-
Click Create bucket.
-
In the ** Name** field, enter a name for the bucket.
The name must meet the following requirements:
- The name must be from 3 to 63 characters long.
- The name may contain lowercase Latin letters, numbers, hyphens, and periods.
- The first and last characters must be letters or numbers.
- The characters to the right and left of the period must be letters or numbers.
- The name must not look like an IP address, e.g.,
10.1.3.9
.
-
Specify the maximum size of the bucket in GB.
-
In the Object read access, Object listing access, and Read access to settings fields, select Restricted.
-
Click Create bucket.
-
If you do not have the AWS CLI yet, install and configure it.
-
Run this command:
aws s3 mb s3://<bucket_name> --endpoint-url=https://storage.yandexcloud.net
Result:
make_bucket: <bucket_name>
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Describe the resources in the configuration file. In this scenario, the parameters are specified under
locals
:locals { cloud_id = "<cloud_ID>" folder_id = "<folder_ID>" oauth = "<OAuth>" zone = "ru-central1-a" sa_name = "new-buckets-account" sa_desc = "Account for managing Object Storage buckets" sa_key_desc = "Static key for ${local.sa_name}" bucket_name = "Bucket name" # The name of the bucket being created. If you do not specify a bucket name for the `yandex_storage_bucket` resource, the name will be generated automatically. } terraform { required_providers { yandex = { source = "yandex-cloud/yandex" } } } provider "yandex" { token = local.oauth cloud_id = local.cloud_id folder_id = local.folder_id zone = local.zone } resource "yandex_iam_service_account" "buckets-account" { name = local.sa_name description = local.sa_desc } resource "yandex_resourcemanager_folder_iam_member" "buckets-account-role" { folder_id = local.folder_id role = "editor" member = "serviceAccount:${yandex_iam_service_account.buckets-account.id}" } resource "yandex_iam_service_account_static_access_key" "buckets-account-key" { service_account_id = "${yandex_iam_service_account.buckets-account.id}" description = local.sa_key_desc } resource "yandex_storage_bucket" "test" { bucket = local.bucket_name access_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.access_key}" secret_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.secret_key}" }
For more information about the resources you can create with Terraform
, see the provider documentation . -
Make sure the configuration files are correct.
-
In the command line, go to the directory where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm that you want to create the resources.
After the command is executed, Terraform updates or creates the following resources in the specified folder:
New-buckets-account
service accountEditor
role fornew-buckets-account
- Static key for the service account
- Bucket
You can check the new resources using the management console
.
-
Create a key
Create a new key or use an existing one. To create a key:
-
In the management console
, select the folder where you want to create a key. -
In the list of services, select Key Management Service.
-
Click Create key.
-
In the window that opens:
- In the Name field, specify
bucket-key
. - In the Encryption algorithm field, select
AES-256
. - In the Rotation period, days field, set the rotation period to
7 days
. - Click Create.
- In the Name field, specify
The key is created together with its first version: click the key in the list to open a page with its attributes.
Run this command:
yc kms symmetric-key create \
--name key-1 \
--default-algorithm aes-256 \
--rotation-period 7d
Where:
--name
: Key name.--default-algorithm
: Encryption algorithm (aes-128
,aes-192
, oraes-256
).--rotation-period
: Key rotation period. To create a key without automatic rotation, do not specify the--rotation-period
parameter.
The key is created along with its first version. It is specified in the primary_version
field.
-
Describe the resources in the configuration file. In this scenario, the parameters are specified under
locals
:locals { cloud_id = "<cloud_ID>" folder_id = "<folder_ID>" oauth = "<OAuth>" zone = "ru-central1-a" sa_name = "new-buckets-account" sa_desc = "Account for managing Object Storage buckets " sa_key_desc = "Static key for ${local.sa_name}" key_name = "key-1" # KMS key name. key_desc = "Bucket encryption key" bucket_name = "Bucket name" } terraform { required_providers { yandex = { source = "yandex-cloud/yandex" } } } provider "yandex" { token = local.oauth cloud_id = local.cloud_id folder_id = local.folder_id zone = local.zone } resource "yandex_iam_service_account" "buckets-account" { name = local.sa_name description = local.sa_desc } resource "yandex_resourcemanager_folder_iam_member" "buckets-account-role" { folder_id = local.folder_id role = "editor" member = "serviceAccount:${yandex_iam_service_account.buckets-account.id}" } resource "yandex_iam_service_account_static_access_key" "buckets-account-key" { service_account_id = "${yandex_iam_service_account.buckets-account.id}" description = local.sa_key_desc } resource "yandex_kms_symmetric_key" "key-a" { name = local.key_name description = local.key_desc default_algorithm = "AES_256" rotation_period = "168h" } resource "yandex_storage_bucket" "test" { bucket = local.bucket_name access_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.access_key}" secret_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.secret_key}" }
-
Make sure the configuration files are correct.
-
In the command line, go to the directory where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm that you want to create the resources.
After the command is executed, Terraform updates or creates the following resources in the specified folder:
New-buckets-account
service accountEditor
role fornew-buckets-account
- Static key for the service account
- KMS key named
key-1
- Bucket
You can check the new resources using the management console
.
-
Use the create method for the SymmetricKey
resource.
Enable encryption
To enable bucket encryption with a KMS key:
- In the management console
, select the folder where the bucket is located. - In the list of services, select Object Storage.
- Select the previously created bucket.
- Go to the Encryption tab.
- In the KMS Key field, select
key-1
. - Click Save.
Run this command:
aws s3api put-bucket-encryption \
--bucket <bucket_name> \
--endpoint-url=https://storage.yandexcloud.net \
--server-side-encryption-configuration '{
"Rules": [
{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "<KMS_key_ID>"
},
"BucketKeyEnabled": true
}
]
}'
As a result of successful command execution, all new objects in the bucket will be encrypted with key-1
.
-
Describe the resources in the configuration file. In this scenario, the parameters are specified under
locals
:locals { cloud_id = "<cloud_ID>" folder_id = "<folder_ID>" oauth = "<OAuth>" zone = "ru-central1-a" sa_name = "new-buckets-account" sa_desc = "Account for managing Object Storage buckets" sa_key_desc = "Static key for ${local.sa_name}" key_name = "key-1" # KMS key name. key_desc = "Bucket encryption key" bucket_name = "Bucket name" # Bucket name. } terraform { required_providers { yandex = { source = "yandex-cloud/yandex" } } } provider "yandex" { token = local.oauth cloud_id = local.cloud_id folder_id = local.folder_id zone = local.zone } resource "yandex_iam_service_account" "buckets-account" { name = local.sa_name description = local.sa_desc } resource "yandex_resourcemanager_folder_iam_member" "buckets-account-role" { folder_id = local.folder_id role = "editor" member = "serviceAccount:${yandex_iam_service_account.buckets-account.id}" } resource "yandex_iam_service_account_static_access_key" "buckets-account-key" { service_account_id = "${yandex_iam_service_account.buckets-account.id}" description = local.sa_key_desc } resource "yandex_kms_symmetric_key" "key-a" { name = local.key_name description = local.key_desc default_algorithm = "AES_256" rotation_period = "168h" } resource "yandex_storage_bucket" "test" { bucket = local.bucket_name access_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.access_key}" secret_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.secret_key}" server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { kms_master_key_id = yandex_kms_symmetric_key.key-a.id sse_algorithm = "aws:kms" } } } }
-
Make sure the configuration files are correct.
-
In the command line, go to the directory where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm that you want to create the resources.
After the command is executed, Terraform updates or creates the following resources in the specified folder:
New-buckets-account
service accountEditor
role fornew-buckets-account
- Static key for the service account
- KMS key named
key-1
- Bucket with encryption
You can check the new resources using the management console
.As a result of successful command execution, all new objects in the bucket will be encrypted with
key-1
.
-
Disable encryption
If you no longer need to encrypt new bucket objects, disable encryption.
Alert
After you disable bucket encryption, previously uploaded objects will be stored in encrypted form. Data in Object Storage is encrypted using envelope encryption. Deleting a key is the same as destroying all data encrypted with that key.
- In the management console
, select the folder where the bucket is located. - In the list of services, select Object Storage.
- Select the previously created bucket.
- Go to the Encryption tab.
- In the KMS Key field, select Not selected.
- Click Save.
Run this command:
aws s3api delete-bucket-encryption \
--bucket <bucket_name> \
--endpoint-url=https://storage.yandexcloud.net
As a result of successful execution, bucket encryption will be disabled.
-
Describe the resources in the configuration file. To disable encryption, delete or comment out the
server_side_encryption_configuration
section for theyandex_storage_bucket
resource:locals { cloud_id = "<cloud_ID>" folder_id = "<folder_ID>" oauth = "<OAuth>" zone = "ru-central1-a" sa_name = "new-buckets-account" sa_desc = "Account for managing Object Storage buckets" sa_key_desc = "Static key for ${local.sa_name}" key_name = "key-1" key_desc = "Bucket encryption key" bucket_name = "Bucket name" } terraform { required_providers { yandex = { source = "yandex-cloud/yandex" } } } provider "yandex" { token = local.oauth cloud_id = local.cloud_id folder_id = local.folder_id zone = local.zone } resource "yandex_iam_service_account" "buckets-account" { name = local.sa_name description = local.sa_desc } resource "yandex_resourcemanager_folder_iam_member" "buckets-account-role" { folder_id = local.folder_id role = "editor" member = "serviceAccount:${yandex_iam_service_account.buckets-account.id}" } resource "yandex_iam_service_account_static_access_key" "buckets-account-key" { service_account_id = "${yandex_iam_service_account.buckets-account.id}" description = local.sa_key_desc } resource "yandex_kms_symmetric_key" "key-a" { name = local.key_name description = local.key_desc default_algorithm = "AES_256" rotation_period = "168h" } resource "yandex_storage_bucket" "test" { bucket = local.bucket_name access_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.access_key}" secret_key = "${yandex_iam_service_account_static_access_key.buckets-account-key.secret_key}" /* server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { kms_master_key_id = yandex_kms_symmetric_key.key-a.id sse_algorithm = "aws:kms" } } } */ }
-
Make sure the configuration files are correct.
-
In the command line, go to the directory where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm that you want to update the resources.
After the command is executed, Terraform updates the following resources in the specified folder:
new-buckets-account
service accounteditor
role fornew-buckets-account
- Static key for the service account
- KMS key named
key-1
- Bucket
Bucket encryption in the specified folder will be disabled. You can check the resources update and configuration using the management console
.
-