文档

ACS-OSS-PutBucketEncryption

更新时间:

模板名称

ACS-OSS-PutBucketEncryption 配置OSSBucket加密规则

立即执行

模板描述

配置OSSBucket的加密规则

模板类型

自动化

所有者

Alibaba Cloud

输入参数

参数名称

描述

类型

是否必填

默认值

约束

SSEAlgorithm

SSE加密方式

String

bucketName

OSS bucket 名称

String

regionId

地域ID

String

{{ ACS::RegionId }}

KMSMasterKeyID

KMS密钥ID

String

False

OOSAssumeRole

OOS扮演的RAM角色

String

""

输出参数

执行此模板需要的权限策略

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:PutBucketEncryption"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

详情

ACS-OSS-PutBucketEncryption详情

模板内容

FormatVersion: OOS-2019-06-01
Description:
  en: Encryption rules for configuring buckets
  zh-cn: 配置OSSBucket的加密规则
  name-en: ACS-OSS-PutBucketEncryption
  name-zh-cn: 配置OSSBucket加密规则
  categories:
    - security
Parameters:
  regionId:
    Type: String
    Label:
      en: RegionId
      zh-cn: 地域ID
    AssociationProperty: RegionId
    Default: '{{ ACS::RegionId }}'
  SSEAlgorithm:
    Label:
      en: SSEAlgorithm
      zh-cn: SSE加密方式
    Description:
      en: Set the default encryption method of the server
      zh-cn: 设置服务端默认加密方式
    Type: String
    AllowedValues:
      - KMS
      - AES256
  KMSMasterKeyID:
    Label:
      en: KMSMasterKeyID
      zh-cn: KMS密钥ID
    Description:
      en: >-
        When the ssealgorithm value is KMS, you need to enter the key ID,
        otherwise, it must be empty(Default No is empty)
      zh-cn: 当SSEAlgorithm值为KMS时,需输入KMSMasterKeyID,其他情况下,必须为空(No 代表为空)
    Type: String
    Default: No
  bucketName:
    Label:
      en: BucketName
      zh-cn: OSS bucket 名称
    Type: String
    AssociationProperty: ALIYUN::OSS::Bucket::BucketName
    AssociationPropertyMetadata:
      RegionId: regionId
  OOSAssumeRole:
    Label:
      en: OOSAssumeRole
      zh-cn: OOS扮演的RAM角色
    Type: String
    Default: ''
RamRole: '{{ OOSAssumeRole }}'
Tasks:
  - Name: chooseWetherHasKMSMasterKeyIDTask
    Action: 'ACS::Choice'
    Properties:
      DefaultTask: putBucketEncryptionNoKeyId
      Choices:
        - When:
            'Fn::Equals':
              - KMS
              - '{{ SSEAlgorithm }}'
          NextTask: putBucketEncryption
        - When:
            'Fn::Equals':
              - AES256
              - '{{ SSEAlgorithm }}'
          NextTask: putBucketEncryptionNoKeyId
  - Name: putBucketEncryptionNoKeyId
    Action: 'ACS::ExecuteAPI'
    Description:
      en: 'Encryption rules for configuring buckets(AES256)'
      zh-cn: 用于配置Bucket的加密规则(AES256)
    OnSuccess: 'ACS::END'
    Properties:
      Service: OSS
      API: PutBucketEncryption
      Method: PUT
      URI: '?encryption'
      Headers:
        Content-MD5: ""
        Content-Type: application/xml
      Parameters:
        RegionId: '{{ regionId }}'
        BucketName: '{{ bucketName }}'
      Body: '<?xml version="1.0" encoding="UTF-8"?>
             <ServerSideEncryptionRule>
               <ApplyServerSideEncryptionByDefault>
                 <SSEAlgorithm>{{ SSEAlgorithm }}</SSEAlgorithm>
                 <KMSMasterKeyID></KMSMasterKeyID>
               </ApplyServerSideEncryptionByDefault>
             </ServerSideEncryptionRule>'
  - Name: putBucketEncryption
    Action: 'ACS::ExecuteAPI'
    Description:
      en: Encryption rules for configuring buckets(KMS)
      zh-cn: 用于配置Bucket的加密规则(KMS)
    Properties:
      Service: OSS
      API: PutBucketEncryption
      Method: PUT
      URI: '?encryption'
      Headers:
        Content-MD5: ""
        Content-Type: application/xml
      Parameters:
        RegionId: '{{ regionId }}'
        BucketName: '{{ bucketName }}'
      Body: '<?xml version="1.0" encoding="UTF-8"?>
             <ServerSideEncryptionRule>
               <ApplyServerSideEncryptionByDefault>
                 <SSEAlgorithm>{{ SSEAlgorithm }}</SSEAlgorithm>
                 <KMSMasterKeyID>{{ KMSMasterKeyID }}</KMSMasterKeyID>
               </ApplyServerSideEncryptionByDefault>
             </ServerSideEncryptionRule>'