Creating S3 bucket with SSE (Server Side Encryption)

Hello!

I was wondering if we can create S3 buckets with Server Side Encryption? I see the deployment bucket supports SSE since 1.16.0 (https://serverless.com/blog/serverless-v1.16.0/) but could not find any documentation to enable SSE for user created buckets.

Can SSE be enabled when defining S3 events or in Resources?

Any help is appreciated!

Looking to see if anyone has been successful at this as well. I posted same question (Default deployment bucket SSE) but haven’t seen any traffic.

Here’s a working serverless.yml I just slapped together:

service: s3project

provider:
  name: aws
  runtime: nodejs8.10
  stage: dev
  region: us-west-1

functions:
  hello:
    handler: handler.hello

resources:
  Resources:
    S3BucketMySpecialBucket:
      Type: AWS::S3::Bucket
      Properties:
        BucketName: ${self:provider.stage}-my-special-bucket
        BucketEncryption:
          ServerSideEncryptionConfiguration:
            - ServerSideEncryptionByDefault:
                SSEAlgorithm: AES256

You can confirm in the console that it was created with encryption enabled:
image

If you’re looking to create your bucket by defining it as an event source try this one. You still need the resources section, but be sure to name the bucket resource logical name in alignment with the logical naming rules.:

service: s3project

provider:
  name: aws
  runtime: nodejs8.10
  stage: dev
  region: us-west-1

functions:
  hello:
    handler: handler.hello
    events:
      - s3:superBucket

resources:
  Resources:
    S3BucketSuperBucket:
      Type: AWS::S3::Bucket
      Properties:
        BucketName: ${self:provider.stage}-my-super-bucket
        BucketEncryption:
          ServerSideEncryptionConfiguration:
            - ServerSideEncryptionByDefault:
                SSEAlgorithm: AES256

Hope it helps.

Thanks. This does work for me and give me the expected results. Didn’t think to put in the Resources section. I will try to apply this to my specific serverless.yml.

1 Like

I attempted this method andi have a issue where that bucket already exists. MY environment already exists without the encryption and im just trying to add it on. That will be a problem deploying this to production but thats a different issue. So i deploy to a new stage and i get this error:

“An error occurred: S3Bucketxxxxxxxxxxxxxx - Unable to validate the following destination configurations (Service: Amazon S3; Status Code: 400; Error Code: InvalidArgument; Request ID: 0EEE841094AA8DF1; S3 Extended Request ID: 3ozSLtqO0nzXDMDfL65o4FhPzsUVrOQEGbIN2nF7b26c3lHIIRyETI7ntKxC88anSC45dcV9hOI=; Proxy: null).”