S3 Bucket SSE Disabled
- Query id: 64ab651b-f5b2-4af0-8c89-ddd03c4d0e61
- Query name: S3 Bucket SSE Disabled
- Platform: CloudFormation
- Severity: High
- Category: Encryption
- URL: Github
Description¶
If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "S3 bucket with default encryption",
"Resources": {
"EncryptedS3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": {
"Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}"
},
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms"
}
}
]
}
},
"DeletionPolicy": "Delete"
}
}
}
Postitive test num. 2 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: S3 bucket with default encryption
Resources:
EncryptedS3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName:
'Fn::Sub': 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: 'aws:kms'
DeletionPolicy: Delete
Postitive test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "S3 bucket with default encryption",
"Resources": {
"EncryptedS3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": {
"Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}"
},
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256",
"KMSMasterKeyID": "KMS-KEY-ARN"
}
}
]
}
},
"DeletionPolicy": "Delete"
}
}
}
Postitive test num. 4 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: S3 bucket with default encryption
Resources:
EncryptedS3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName:
'Fn::Sub': 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: 'AES256'
KMSMasterKeyID: KMS-KEY-ARN
DeletionPolicy: Delete
Code samples without security vulnerabilities¶
Negative test num. 1 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "S3 bucket with default encryption",
"Resources": {
"EncryptedS3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": {
"Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}"
},
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "KMS-KEY-ARN"
}
}
]
}
},
"DeletionPolicy": "Delete"
}
}
}
Negative test num. 2 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: S3 bucket with default encryption
Resources:
EncryptedS3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName:
'Fn::Sub': 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: 'aws:kms'
KMSMasterKeyID: KMS-KEY-ARN
DeletionPolicy: Delete