S3 Bucket SSE Disabled

  • Query id: 6726dcc0-5ff5-459d-b473-a780bef7665c
  • Query name: S3 Bucket SSE Disabled
  • Platform: Terraform
  • Severity: High
  • Category: Encryption
  • URL: Github

Description

If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - tf file
provider "aws" {
  region = "us-east-1"
}

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.0"
    }
  }
}

resource "aws_s3_bucket" "positive1" {
  bucket = "my-tf-test-bucket"
  acl    = "private"

  tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }

  versioning {
    mfa_delete = true
  }
}
Postitive test num. 2 - tf file
provider "aws" {
  region = "us-east-1"
}

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.0"
    }
  }
}

resource "aws_s3_bucket" "positive1" {
  bucket = "my-tf-test-bucket"
  acl    = "private"

  tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }

  server_side_encryption_configuration  {
    rule  {
      apply_server_side_encryption_by_default  {
        kms_master_key_id = "some-key"
        sse_algorithm     = "AES256"
      }
    }
  }

  versioning {
    mfa_delete = true
  }
}
Postitive test num. 3 - tf file
provider "aws" {
  region = "us-east-1"
}

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.0"
    }
  }
}

resource "aws_s3_bucket" "positive1" {
  bucket = "my-tf-test-bucket"
  acl    = "private"

  tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm     = "aws:kms"
      }
    }
  }

  versioning {
    mfa_delete = true
  }
}

Postitive test num. 4 - tf file
module "s3_bucket" {
  source = "terraform-aws-modules/s3-bucket/aws"
  version = "3.7.0"

  bucket = "my-s3-bucket"
  acl    = "private"

  versioning = {
    enabled = true
  }

}
Postitive test num. 5 - tf file
module "s3_bucket" {
  source = "terraform-aws-modules/s3-bucket/aws"
  version = "3.7.0"

  bucket = "my-s3-bucket"
  acl    = "private"

  versioning = {
    enabled = true
  }

  server_side_encryption_configuration  {
    rule  {
      apply_server_side_encryption_by_default  {
        kms_master_key_id = "some-key"
        sse_algorithm     = "AES256"
      }
    }
  }
}
Postitive test num. 6 - tf file
module "s3_bucket" {
  source = "terraform-aws-modules/s3-bucket/aws"
  version = "3.7.0"

  bucket = "my-s3-bucket"
  acl    = "private"

  versioning = {
    enabled = true
  }

   server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm     = "aws:kms"
      }
    }
  }
}
Postitive test num. 7 - tf file
terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "4.2.0"
    }
  }
}

provider "aws" {
  # Configuration options
}

resource "aws_s3_bucket" "mybucket0" {
  bucket = "my-tf-example-bucket"
}
Postitive test num. 8 - tf file
terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "4.2.0"
    }
  }
}

provider "aws" {
  # Configuration options
}

resource "aws_s3_bucket" "mybucket1" {
  bucket = "my-tf-example-bucket"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "example2" {
  bucket = aws_s3_bucket.mybucket1.bucket

  rule {
    apply_server_side_encryption_by_default  {
        kms_master_key_id = "some-key"
        sse_algorithm     = "AES256"
    }
  }
}
Postitive test num. 9 - tf file
terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "4.2.0"
    }
  }
}

provider "aws" {
  # Configuration options
}

resource "aws_s3_bucket" "mybucket2" {
  bucket = "my-tf-example-bucket"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "example3" {
  bucket = aws_s3_bucket.mybucket2.bucket

  rule {
    apply_server_side_encryption_by_default {
        sse_algorithm     = "aws:kms"
    }
  }
}
Postitive test num. 10 - tf file
terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "4.2.0"
    }
  }
}

provider "aws" {
  # Configuration options
}

resource "aws_s3_bucket" "mybucket22" {
  bucket = "my-tf-example-bucket"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "example33" {
  bucket = aws_s3_bucket.mybucket22.bucket

  rule {
    bucket_key_enabled = false
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
provider "aws" {
  region = "us-east-1"
}

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.0"
    }
  }
}

resource "aws_s3_bucket" "negative1" {
  bucket = "my-tf-test-bucket"
  acl    = "private"

  tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = aws_kms_key.mykey.arn
        sse_algorithm     = "aws:kms"
      }
    }
  }

  versioning {
    mfa_delete = true
  }
}
Negative test num. 2 - tf file
module "s3_bucket" {
  source = "terraform-aws-modules/s3-bucket/aws"
  version = "3.7.0"

  bucket = "my-s3-bucket"
  acl    = "private"

  versioning = {
    enabled = true
  }

   server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = aws_kms_key.mykey.arn
        sse_algorithm     = "aws:kms"
      }
    }
  }
}
Negative test num. 3 - tf file
terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "4.2.0"
    }
  }
}

provider "aws" {
  # Configuration options
}

resource "aws_s3_bucket" "mybucket" {
  bucket = "my-tf-example-bucket"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
  bucket = aws_s3_bucket.mybucket.bucket

  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = aws_kms_key.mykey.arn
      sse_algorithm     = "aws:kms"
    }
  }
}

Negative test num. 4 - tf file
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "4.2.0"
    }
  }
}

provider "aws" {
  # Configuration options
}

resource "aws_s3_bucket" "mybucket22" {
  count  = 1
  bucket = "my-tf-example-bucket"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "example33" {
  count  = 1
  bucket = aws_s3_bucket.mybucket22[count.index].bucket

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}