kms_key_arn

Type string
Default null
Module s3-bucket

KMS key ARN for encryption. Required when encryption_type is 'aws:kms'.

Overview

The ARN of the KMS key used for server-side encryption. This is required when encryption_type is set to aws:kms.

Default Value

kms_key_arn = null

Example Value

arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012

Usage

module "secure_bucket" {
  source  = "registry.patterneddesigns.ca/essentials/s3-bucket/aws"
  version = "3.0.0"

  bucket_name     = "sensitive-data"
  encryption_type = "aws:kms"
  kms_key_arn     = aws_kms_key.bucket.arn
}

Key Requirements

  • Key must allow the S3 service to use it for encryption
  • Key policy must grant kms:GenerateDataKey* and kms:Decrypt permissions
  • Cross-account keys require additional policy configuration

Best Practices

  • Use customer-managed keys for full control
  • Enable automatic key rotation
  • Use alias ARNs for easier key management
  • Consider bucket keys to reduce KMS API calls and costs

Full Module Example

module "s3_bucket" {
  source  = "registry.patterneddesigns.ca/essentials/s3-bucket/aws"
  version = "0.1.0"

  # kms_key_arn
  kms_key_arn = "..."

  # Other required inputs
  bucket_name = "..."
}
Other Inputs
bucket_name req versioning_enabled encryption_type lifecycle_rules cors_configuration access_logging tags