S3 Bucket SSE Disabled
- Query id: 6726dcc0-5ff5-459d-b473-a780bef7665c
- Query name: S3 Bucket SSE Disabled
- Platform: Terraform
- Severity: High
- Category: Encryption
- URL: Github
Description¶
If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_s3_bucket" "positive1" {
bucket = "my-tf-test-bucket"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
versioning {
mfa_delete = true
}
}
Positive test num. 2 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_s3_bucket" "positive1" {
bucket = "my-tf-test-bucket"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = "some-key"
sse_algorithm = "AES256"
}
}
}
versioning {
mfa_delete = true
}
}
Positive test num. 3 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_s3_bucket" "positive1" {
bucket = "my-tf-test-bucket"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
}
}
}
versioning {
mfa_delete = true
}
}
Positive test num. 4 - tf file
Positive test num. 5 - tf file
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
bucket = "my-s3-bucket"
acl = "private"
versioning = {
enabled = true
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = "some-key"
sse_algorithm = "AES256"
}
}
}
}
Positive test num. 6 - tf file
Positive test num. 7 - tf file
Positive test num. 8 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}
provider "aws" {
# Configuration options
}
resource "aws_s3_bucket" "mybucket1" {
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "example2" {
bucket = aws_s3_bucket.mybucket1.bucket
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = "some-key"
sse_algorithm = "AES256"
}
}
}
Positive test num. 9 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}
provider "aws" {
# Configuration options
}
resource "aws_s3_bucket" "mybucket2" {
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "example3" {
bucket = aws_s3_bucket.mybucket2.bucket
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
}
}
}
Positive test num. 10 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}
provider "aws" {
# Configuration options
}
resource "aws_s3_bucket" "mybucket22" {
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "example33" {
bucket = aws_s3_bucket.mybucket22.bucket
rule {
bucket_key_enabled = false
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_s3_bucket" "negative1" {
bucket = "my-tf-test-bucket"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.mykey.arn
sse_algorithm = "aws:kms"
}
}
}
versioning {
mfa_delete = true
}
}
Negative test num. 2 - tf file
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
bucket = "my-s3-bucket"
acl = "private"
versioning = {
enabled = true
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.mykey.arn
sse_algorithm = "aws:kms"
}
}
}
}
Negative test num. 3 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}
provider "aws" {
# Configuration options
}
resource "aws_s3_bucket" "mybucket" {
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
bucket = aws_s3_bucket.mybucket.bucket
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.mykey.arn
sse_algorithm = "aws:kms"
}
}
}
Negative test num. 4 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}
provider "aws" {
# Configuration options
}
resource "aws_s3_bucket" "mybucket22" {
count = 1
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "example33" {
count = 1
bucket = aws_s3_bucket.mybucket22[count.index].bucket
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}