HIGH
Source
Trivy
ID
AVD-AWS-0088

Unencrypted S3 bucket.

S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

Impact

The bucket objects could be read if compromised

Follow the appropriate remediation steps below to resolve the issue.

  1. Install awscli
1
pip3 install awscli
  1. Configure awscli
1
aws configure
  1. To enable bucket encryption on an S3 bucket called `unencrypted-bucket, run the following aws cli command
1
aws s3api put-bucket-encryption --bucket unencrypted-bucket --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}'

Configure bucket encryption

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
Resources:
  GoodExample:
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - BucketKeyEnabled: true
            ServerSideEncryptionByDefault:
              KMSMasterKeyID: kms-arn
              SSEAlgorithm: aws:kms
    Type: AWS::S3::Bucket

Configure bucket encryption

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
resource "aws_kms_key" "good_example" {
  enable_key_rotation = true
}

resource "aws_s3_bucket" "good_example" {
   bucket = "mybucket"
 
   server_side_encryption_configuration {
     rule {
       apply_server_side_encryption_by_default {
         kms_master_key_id = aws_kms_key.example.arn
         sse_algorithm     = "aws:kms"
       }
     }
   }
 }