Unencrypted S3 bucket.
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.
Impact
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Configure bucket encryption
1
2
3
4
5
6
7
8
9
|
Resources:
GoodExample:
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- BucketKeyEnabled: true
ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
|
Configure bucket encryption
1
2
3
4
5
6
7
8
9
10
11
12
|
resource "aws_s3_bucket" "good_example" {
bucket = "mybucket"
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = "arn"
sse_algorithm = "aws:kms"
}
}
}
}
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
resource "aws_s3_bucket" "good_example" {
bucket = "mybucket"
# ... other configuration ...
}
resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
bucket = aws_s3_bucket.good_example.id
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.mykey.arn
sse_algorithm = "aws:kms"
}
}
}
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
terraform {
required_version = ">= 1.0, < 2.0"
required_providers {
aws = ">= 4.0"
}
}
resource "aws_kms_key" "s3_key" {
description = "This key is used to encrypt S3 bucket objects"
enable_key_rotation = true
}
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "~> 3.0"
bucket = "my_bucket"
acl = "private"
force_destroy = true
restrict_public_buckets = true
ignore_public_acls = true
block_public_policy = true
block_public_acls = true
versioning = {
enabled = true
}
server_side_encryption_configuration = {
rule = {
apply_server_side_encryption_by_default = {
sse_algorithm = "aws:kms"
kms_master_key_id = aws_kms_key.s3_key.arn
}
}
}
}
|
Links