S3 Bucket SSE Disabled

Query id: 309edc5b-5a59-42b4-a357-d4d098311fd4
Query name: S3 Bucket SSE Disabled
Platform: Ansible
Severity: High
Category: Encryption
URL: Github

Description¶

If the master key is null, empty, or undefined, then the SSE algorithm should be AES256. Conversely, if the SSE algorithm is AES256, then the master key should be null, empty, or undefined.
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - yaml file

---
- name: mys3Bucket
  amazon.aws.s3_bucket:
      name: mys3bucket
      state: present
      encryption: "aws:kms"

Code samples without security vulnerabilities¶

Negative test num. 1 - yaml file

- name: mys3Bucket
  amazon.aws.s3_bucket:
    name: mys3bucket
    state: present
    encryption: AES256