kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add default S3 encryption example 

Just following along with the guide and thought I'd suggest what appears to be a missing command line.  I'm assuming that it's generally appropriate.
This commit is contained in:
Andrew Bobulsky 2018-10-05 23:08:00 -04:00 committed by GitHub
parent 7b4133c823
commit 8c75c6458c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/aws.md
View File

@ -277,7 +277,13 @@ Information regarding cluster state store location must be set when using `kops`
kops supports [default bucket encryption](https://aws.amazon.com/de/blogs/aws/new-amazon-s3-encryption-security-features/) to encrypt the kops state in an S3 bucket. In this way, whatever default server side encryption is set for your bucket, it will be used for the kops state, too. You may want to use this AWS feature e.g. for easily encrypting every written object by default or when for compliance reasons you need to use specific encryption keys (KMS, CMK).
If your S3 bucket has a default encryption set up, kops will use it. If the default encryption is not set or it cannot be checked, kops will resort to using client side AES256 encryption.
If your S3 bucket has a default encryption set up, kops will use it:
```bash
aws s3api put-bucket-encryption --bucket prefix-example-com-state-store --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'
```
If the default encryption is not set or it cannot be checked, kops will resort to using client side AES256 encryption.
### Sharing an S3 bucket across multiple accounts