HIGH
Source
Trivy
ID
AVD-AWS-0132

S3 encryption should use Customer Managed Keys

Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

Impact

Using AWS managed keys does not allow for fine grained control

Follow the appropriate remediation steps below to resolve the issue.

Configure bucket encryption

1
2
3
4
5
6
7
8
9
Resources:
  GoodExample:
    Properties:
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - BucketKeyEnabled: true
            ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
    Type: AWS::S3::Bucket

Configure bucket encryption

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
resource "aws_s3_bucket" "good_example" {
  bucket = "mybucket"
  
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "arn"
        sse_algorithm     = "aws:kms"
      }
    }
  }
}