Template name
ACS-OSS-PutBucketEncryption
Template description
Configures a data encryption rule for an Object Storage Service (OSS) bucket.
Template type
Automated
Owner
Alibaba Cloud
Input parameters
Parameter | Description | Data type | Required | Default value | Limit |
SSEAlgorithm | The server-side encryption (SSE) method. | String | Yes | ||
bucketName | The name of the OSS bucket. | String | Yes | ||
regionId | The region ID. | String | No | {{ ACS::RegionId }} | |
KMSMasterKeyID | The ID of the key that is managed by Key Management Service (KMS). | String | No | False | |
OOSAssumeRole | The RAM role that is assumed by CloudOps Orchestration Service (OOS). | String | No | "" |
Output parameters
N/A.
Permission policy that is required to execute the template
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:PutBucketEncryption"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
References
Template content
FormatVersion: OOS-2019-06-01
Description:
en: Encryption rules for configuring buckets
name-en: ACS-OSS-PutBucketEncryption
categories:
- security
Parameters:
regionId:
Type: String
Label:
en: RegionId
AssociationProperty: RegionId
Default: '{{ ACS::RegionId }}'
SSEAlgorithm:
Label:
en: SSEAlgorithm
Description:
en: Set the default encryption method of the server
Type: String
AllowedValues:
- KMS
- AES256
KMSMasterKeyID:
Label:
en: KMSMasterKeyID
Description:
en: >-
When the ssealgorithm value is KMS, you need to enter the key ID,
otherwise, it must be empty(Default No is empty)
Type: String
Default: No
bucketName:
Label:
en: BucketName
Type: String
AssociationProperty: ALIYUN::OSS::Bucket::BucketName
AssociationPropertyMetadata:
RegionId: regionId
OOSAssumeRole:
Label:
en: OOSAssumeRole
Type: String
Default: ''
RamRole: '{{ OOSAssumeRole }}'
Tasks:
- Name: chooseWetherHasKMSMasterKeyIDTask
Action: 'ACS::Choice'
Properties:
DefaultTask: putBucketEncryptionNoKeyId
Choices:
- When:
'Fn::Equals':
- KMS
- '{{ SSEAlgorithm }}'
NextTask: putBucketEncryption
- When:
'Fn::Equals':
- AES256
- '{{ SSEAlgorithm }}'
NextTask: putBucketEncryptionNoKeyId
- Name: putBucketEncryptionNoKeyId
Action: 'ACS::ExecuteAPI'
Description:
en: 'Encryption rules for configuring buckets(AES256)'
OnSuccess: 'ACS::END'
Properties:
Service: OSS
API: PutBucketEncryption
Method: PUT
URI: '?encryption'
Headers:
Content-MD5: ""
Content-Type: application/xml
Parameters:
RegionId: '{{ regionId }}'
BucketName: '{{ bucketName }}'
Body: '<?xml version="1.0" encoding="UTF-8"?>
<ServerSideEncryptionRule>
<ApplyServerSideEncryptionByDefault>
<SSEAlgorithm>{{ SSEAlgorithm }}</SSEAlgorithm>
<KMSMasterKeyID></KMSMasterKeyID>
</ApplyServerSideEncryptionByDefault>
</ServerSideEncryptionRule>'
- Name: putBucketEncryption
Action: 'ACS::ExecuteAPI'
Description:
en: Encryption rules for configuring buckets(KMS)
Properties:
Service: OSS
API: PutBucketEncryption
Method: PUT
URI: '?encryption'
Headers:
Content-MD5: ""
Content-Type: application/xml
Parameters:
RegionId: '{{ regionId }}'
BucketName: '{{ bucketName }}'
Body: '<?xml version="1.0" encoding="UTF-8"?>
<ServerSideEncryptionRule>
<ApplyServerSideEncryptionByDefault>
<SSEAlgorithm>{{ SSEAlgorithm }}</SSEAlgorithm>
<KMSMasterKeyID>{{ KMSMasterKeyID }}</KMSMasterKeyID>
</ApplyServerSideEncryptionByDefault>
</ServerSideEncryptionRule>'