S3 Bucket SSE Disabled
- Query id: 6726dcc0-5ff5-459d-b473-a780bef7665c
- Query name: S3 Bucket SSE Disabled
- Platform: Terraform
- Severity: High
- Category: Encryption
- URL: Github
Description¶
If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_s3_bucket" "positive1" {
bucket = "my-tf-test-bucket"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
versioning {
mfa_delete = true
}
}
Postitive test num. 2 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_s3_bucket" "positive1" {
bucket = "my-tf-test-bucket"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = "some-key"
sse_algorithm = "AES256"
}
}
}
versioning {
mfa_delete = true
}
}
Postitive test num. 3 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_s3_bucket" "positive1" {
bucket = "my-tf-test-bucket"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
}
}
}
versioning {
mfa_delete = true
}
}
Postitive test num. 4 - tf file
Postitive test num. 5 - tf file
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
bucket = "my-s3-bucket"
acl = "private"
versioning = {
enabled = true
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = "some-key"
sse_algorithm = "AES256"
}
}
}
}
Postitive test num. 6 - tf file
Postitive test num. 7 - tf file
Postitive test num. 8 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}
provider "aws" {
# Configuration options
}
resource "aws_s3_bucket" "mybucket1" {
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "example2" {
bucket = aws_s3_bucket.mybucket1.bucket
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = "some-key"
sse_algorithm = "AES256"
}
}
}
Postitive test num. 9 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}
provider "aws" {
# Configuration options
}
resource "aws_s3_bucket" "mybucket2" {
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "example3" {
bucket = aws_s3_bucket.mybucket2.bucket
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
}
}
}
Postitive test num. 10 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}
provider "aws" {
# Configuration options
}
resource "aws_s3_bucket" "mybucket22" {
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "example33" {
bucket = aws_s3_bucket.mybucket22.bucket
rule {
bucket_key_enabled = false
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_s3_bucket" "negative1" {
bucket = "my-tf-test-bucket"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.mykey.arn
sse_algorithm = "aws:kms"
}
}
}
versioning {
mfa_delete = true
}
}
Negative test num. 2 - tf file
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
bucket = "my-s3-bucket"
acl = "private"
versioning = {
enabled = true
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.mykey.arn
sse_algorithm = "aws:kms"
}
}
}
}
Negative test num. 3 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}
provider "aws" {
# Configuration options
}
resource "aws_s3_bucket" "mybucket" {
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
bucket = aws_s3_bucket.mybucket.bucket
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.mykey.arn
sse_algorithm = "aws:kms"
}
}
}
Negative test num. 4 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}
provider "aws" {
# Configuration options
}
resource "aws_s3_bucket" "mybucket22" {
count = 1
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "example33" {
count = 1
bucket = aws_s3_bucket.mybucket22[count.index].bucket
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}