S3 Bucket SSE Disabled

  • Query id: 64ab651b-f5b2-4af0-8c89-ddd03c4d0e61
  • Query name: S3 Bucket SSE Disabled
  • Platform: CloudFormation
  • Severity: High
  • Category: Encryption
  • URL: Github

Description

If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "S3 bucket with default encryption",
  "Resources": {
      "EncryptedS3Bucket": {
          "Type": "AWS::S3::Bucket",
          "Properties": {
              "BucketName": {
                  "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}"
              },
              "BucketEncryption": {
                  "ServerSideEncryptionConfiguration": [
                      {
                          "ServerSideEncryptionByDefault": {
                              "SSEAlgorithm": "aws:kms"
                          }
                      }
                  ]
              }
          },
          "DeletionPolicy": "Delete"
      }
  }
}
Postitive test num. 2 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: S3 bucket with default encryption
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName:
        'Fn::Sub': 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'aws:kms'
    DeletionPolicy: Delete
Postitive test num. 3 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "S3 bucket with default encryption",
  "Resources": {
      "EncryptedS3Bucket": {
          "Type": "AWS::S3::Bucket",
          "Properties": {
              "BucketName": {
                  "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}"
              },
              "BucketEncryption": {
                  "ServerSideEncryptionConfiguration": [
                      {
                          "ServerSideEncryptionByDefault": {
                              "SSEAlgorithm": "AES256",
                              "KMSMasterKeyID": "KMS-KEY-ARN"
                          }
                      }
                  ]
              }
          },
          "DeletionPolicy": "Delete"
      }
  }
}

Postitive test num. 4 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: S3 bucket with default encryption
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName:
        'Fn::Sub': 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'AES256'
              KMSMasterKeyID: KMS-KEY-ARN
    DeletionPolicy: Delete

Code samples without security vulnerabilities

Negative test num. 1 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "S3 bucket with default encryption",
  "Resources": {
      "EncryptedS3Bucket": {
          "Type": "AWS::S3::Bucket",
          "Properties": {
              "BucketName": {
                  "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}"
              },
              "BucketEncryption": {
                  "ServerSideEncryptionConfiguration": [
                      {
                          "ServerSideEncryptionByDefault": {
                              "SSEAlgorithm": "aws:kms",
                              "KMSMasterKeyID": "KMS-KEY-ARN"
                          }
                      }
                  ]
              }
          },
          "DeletionPolicy": "Delete"
      }
  }
}
Negative test num. 2 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: S3 bucket with default encryption
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName:
        'Fn::Sub': 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'aws:kms'
              KMSMasterKeyID: KMS-KEY-ARN
    DeletionPolicy: Delete