describe request here

[david-w-webb]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave "+1" or "me too" comments. They generate extra noise for issue followers and do not help prioritize the request.

Elastic Beanstalk creates a single S3 bucket: elasticbeanstalk-${AWS::Region}-${AWS::AccountId} when the first Elastic Beanstalk environment for an account/region is created, and uses that S3 bucket for all applications implemented within the account/region.

This S3 bucket is created unencrypted and with Public Access.

Please update the Elastic Beanstalk options for creating the default S3 bucket to allow for the options:

• Non-public
• Encrypted (support all encryption options)

[azpaulp]

Thank you for your interest in Elastic Beanstalk. Access to the S3 bucket you referred to here is restricted by policy. Encryption is enabled by default.

[david-w-webb]

Thank you for your interest in Elastic Beanstalk. Access to the S3 bucket you referred to here is restricted by policy. Encryption is enabled by default.

My request cannot be satisfied simply by using IAM or S3 resource policy restrictions. The issue is:

1. The only S3 bucket that can be used is the default one. My request is to
   a. Allow an Elastic Beanstalk environment to use a previously defined S3 bucket that is not the default one.
   b. Allow an Elastic Beanstalk environment to use a specified KMS key when working with the bucket or with objects in the bucket.
2. The bucket is created automatically as a publicly accessible bucket with no option to create it as private. My request is to allow the default bucket to be set to private when it is created.
3. The bucket is created automatically without a bucket key with no option to assign one. My request is to allow automatic assignment of a bucket key to the default bucket when it is created.

The statement that the bucket is created with "encryption enabled" is partially correct. The bucket was created without a bucket key assigned and there was no option to enforce a bucket key nor to enforce a private bucket.. It needs to have an option to create the default S3 bucket privately and with an AWS-SSE bucket key applied.

It also needs to have an option per Elastic Beanstalk environment to allow a separate S3 bucket to be assigned to the environment so that nothing is written to the default bucket. This is needed for multi-tenant AWS accounts where different organizations with separate Elastic Beanstalk environments can maintain their applications independently of one another within the same AWS account.

Example:
Teams A and B are small teams in a large company. They use a shared "enterprise" AWS account 1234567890 along with several other small organizations within that company because their footprint isn't large enough to justify additional account management resources.

• Team A a publicly accessible Elastic Beanstalk application. They can create a publicly accessible S3 bucket which can be used to host their application using a AWS-SSE bucket key to encrypt files.
• Team B needs their Elastic Beanstalk application to be private because it hosts sensitive material. They need all of their content to be stored on a private S3 bucket which is encrypted using a KMS-CMK bucket key.

Currently, Elastic Beanstalk forces these teams to operate from separate AWS accounts to meet their multi-tenant security requirements.