S3 Bucket SSE Disabled
- Query id: 64ab651b-f5b2-4af0-8c89-ddd03c4d0e61
- Query name: S3 Bucket SSE Disabled
- Platform: CloudFormation
- Severity: High
- Category: Encryption
- URL: Github
Description¶
If the master key is null, empty, or undefined, then the SSE algorithm should be AES256. Conversely, if the SSE algorithm is AES256, then the master key should be null, empty, or undefined.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "S3 bucket with default encryption",
"Resources": {
"EncryptedS3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": {
"Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}"
},
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms"
}
}
]
}
},
"DeletionPolicy": "Delete"
}
}
}
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: S3 bucket with default encryption
Resources:
EncryptedS3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName:
'Fn::Sub': 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: 'aws:kms'
DeletionPolicy: Delete
Positive test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "S3 bucket with default encryption",
"Resources": {
"EncryptedS3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": {
"Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}"
},
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256",
"KMSMasterKeyID": "KMS-KEY-ARN"
}
}
]
}
},
"DeletionPolicy": "Delete"
}
}
}
Positive test num. 4 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: S3 bucket with default encryption
Resources:
EncryptedS3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName:
'Fn::Sub': 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: 'AES256'
KMSMasterKeyID: KMS-KEY-ARN
DeletionPolicy: Delete
Code samples without security vulnerabilities¶
Negative test num. 1 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "S3 bucket with default encryption",
"Resources": {
"EncryptedS3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": {
"Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}"
},
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "KMS-KEY-ARN"
}
}
]
}
},
"DeletionPolicy": "Delete"
}
}
}
Negative test num. 2 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: S3 bucket with default encryption
Resources:
EncryptedS3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName:
'Fn::Sub': 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: 'aws:kms'
KMSMasterKeyID: KMS-KEY-ARN
DeletionPolicy: Delete