S3 Bucket SSE Disabled

Query id: 64ab651b-f5b2-4af0-8c89-ddd03c4d0e61
Query name: S3 Bucket SSE Disabled
Platform: CloudFormation
Severity: High
Category: Encryption
URL: Github

Description¶

If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - json file

Positive test num. 2 - yaml file

< De Re

Positive test num. 3 - json file

/span>

{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "S3 bucket with default encryption", "Resources": { "EncryptedS3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName": { "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}" }, "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { class="w">                              "SSEAlgorithm": "aws:kms" } } ] } }, "DeletionPolicy": "Delete" } } } /span>AWSTemplateFormatVersion: '2010-09-09' scription: S3 bucket with default encryption sources: EncryptedS3Bucket: Type: 'AWS::S3::Bucket' Properties: BucketName: 'Fn::Sub': 'encryptedbucket-${AWS::Region}-${AWS::AccountId}' BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: class="w">              SSEAlgorithm: 'aws:kms' DeletionPolicy: Delete /span>{ "AWSTemplateFormatVersion": "2010-09-09", "Description": "S3 bucket with default encryption", "Resources": { "EncryptedS3Bucket": { "Type": "AWS::S3::Bucket", "Properties": { "BucketName": { "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}" }, "BucketEncryption": { "ServerSideEncryptionConfiguration": [ { "ServerSideEncryptionByDefault": { "SSEAlgorithm": "AES256", class="w">                              "KMSMasterKeyID": "KMS-KEY-ARN" } } ] } }, "DeletionPolicy": "Delete" } } }
Positive test num. 4 - yaml file

AWSTemplateFormatVersion: '2010-09-09'
Description: S3 bucket with default encryption
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName:
        'Fn::Sub': 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'AES256'
              KMSMasterKeyID: KMS-KEY-ARN
    DeletionPolicy: Delete



Code samples without security vulnerabilities¶
Negative test num. 1 - json file{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "S3 bucket with default encryption",
  "Resources": {
      "EncryptedS3Bucket": {
          "Type": "AWS::S3::Bucket",
          "Properties": {
              "BucketName": {
                  "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}"
              },
              "BucketEncryption": {
                  "ServerSideEncryptionConfiguration": [
                      {
                          "ServerSideEncryptionByDefault": {
                              "SSEAlgorithm": "aws:kms",
                              "KMSMasterKeyID": "KMS-KEY-ARN"
                          }
                      }
                  ]
              }
          },
          "DeletionPolicy": "Delete"
      }
  }
}

Negative test num. 2 - yaml fileAWSTemplateFormatVersion: '2010-09-09'
Description: S3 bucket with default encryption
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName:
        'Fn::Sub': 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'aws:kms'
              KMSMasterKeyID: KMS-KEY-ARN
    DeletionPolicy: Delete