Amplify-cli: Create S3 hosting buckets with Encryption

Contents in a hosting bucket are meant to be served publicly, personally I don't see how SSE is useful in this scenario. Could you provide more contexts?

Ah, sorry, I realize now how non-contextual my request was. Let me explain a bit more:

I work with data which is sometimes sensitive, and with some fairly new/inexperienced developers. In order to make it both easy and safe for them to share their work, I'm using Amplify to make it easy to set up dev-tier/env applications and using WAF to allow access to those dev-tier applications only within our company VPN. While I would catch any accidentally-committed sensitive data in code review and therefore before CI/CD would push it to production, I won't be reviewing all code that ends up in the dev tier, so I'd like if those dev-tier buckets could be encrypted, just in the rare case they push things they shouldn't.

@ncknuna
Thanks for providing more context.
I'm not very sure I completely understand it though. Hosting bucket hosts the frontend web application, which is the built and deployed frontend application that the end users view and interact with. Hosting bucket is not intended to store the application's codebase. Codebase repo, like github, is used for that purpose.
IMHO, the frontend application itself should not contain any sensitive data, application data should generally be stored in the backend. The Amplify CLI and the Amplify JS library can help you to setup the backend and consume it, including data access controls.

Yup, definitely agree that the frontend application should not contain any sensitive data, and I'd catch it in code review if it did.

My concern is junior developers copy/pasting sensitive data into a module/page for a faster iteration loop (e.g. instead of querying the backend, which may be slow-ish for analytic queries), and then accidentally building and deploying the application with that copy/pasted sensitive data still in the code to the dev tier.

(I admit that this is a corner case, and I totally understand if you don't consider it worth supporting at this time, but I do think it's valid)

We have security audits and get a red flag on any unencrypted bucket. Allowing deployment buckets to be encrypted would help us in that we wouldn't have to spend time explaining the exceptions to our auditor.

Why are motives constantly questioned by the Amplify team? Give the option to enable encryption on the buckets and move on. It doesn't matter why we want to do this.

We also ran across this issue due to a security audit. The problem with not encrypting a bucket is that a company might have a LOT of buckets. Even though a bucket used by an Amplify project is not a security risk to have unencrypted, how can you automate a security scan of all buckets if some are allowed to be unencrypted? The simple answer is to enforce encryption on all buckets. As long as Amplify does not supply this functionality we will not be using it.

@UnleashedMind this feature request seems easy to accommodate. Why not enable to the community with a little more discussion?

I'm actually interested in the buckets used for cloudformation DEPLOYMENTS. I've already identified how to customize the cloudformation templates for HOSTING.

I don't really care if the CLI provides options to do it, but I do want to see documentation about WHERE do developers need to add modifications to add the security feature they need for deployment buckets.

EDIT: I filed a separate request over here https://github.com/aws-amplify/amplify-cli/issues/5172