S3 Bucket SSE Disabled
- Query id: 6726dcc0-5ff5-459d-b473-a780bef7665c
- Query name: S3 Bucket SSE Disabled
- Platform: Terraform
- Severity: High
- Category: Encryption
- URL: Github
Description¶
If the master key is null, empty, or undefined, then the SSE algorithm should be AES256. Conversely, if the SSE algorithm is AES256, then the master key should be null, empty, or undefined.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_s3_bucket" "positive1" {
bucket = "my-tf-test-bucket"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
versioning {
mfa_delete = true
}
}
Positive test num. 2 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_s3_bucket" "positive1" {
bucket = "my-tf-test-bucket"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = "some-key"
sse_algorithm = "AES256"
}
}
}
versioning {
mfa_delete = true
}
}
Positive test num. 3 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_s3_bucket" "positive1" {
bucket = "my-tf-test-bucket"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
}
}
}
versioning {
mfa_delete = true
}
}
Positive test num. 4 - tf file
Positive test num. 5 - tf file
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
bucket = "my-s3-bucket"
acl = "private"
versioning = {
enabled = true
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = "some-key"
sse_algorithm = "AES256"
}
}
}
}
Positive test num. 6 - tf file
Positive test num. 7 - tf file
Positive test num. 8 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}
provider "aws" {
# Configuration options
}
resource "aws_s3_bucket" "mybucket1" {
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "example2" {
bucket = aws_s3_bucket.mybucket1.bucket
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = "some-key"
sse_algorithm = "AES256"
}
}
}
Positive test num. 9 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}
provider "aws" {
# Configuration options
}
resource "aws_s3_bucket" "mybucket2" {
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "example3" {
bucket = aws_s3_bucket.mybucket2.bucket
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
}
}
}
Positive test num. 10 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}
provider "aws" {
# Configuration options
}
resource "aws_s3_bucket" "mybucket22" {
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "example33" {
bucket = aws_s3_bucket.mybucket22.bucket
rule {
bucket_key_enabled = false
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_s3_bucket" "negative1" {
bucket = "my-tf-test-bucket"
acl = "private"
tags = {
Name = "My bucket"
Environment = "Dev"
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.mykey.arn
sse_algorithm = "aws:kms"
}
}
}
versioning {
mfa_delete = true
}
}
Negative test num. 2 - tf file
module "s3_bucket" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "3.7.0"
bucket = "my-s3-bucket"
acl = "private"
versioning = {
enabled = true
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.mykey.arn
sse_algorithm = "aws:kms"
}
}
}
}
Negative test num. 3 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}
provider "aws" {
# Configuration options
}
resource "aws_s3_bucket" "mybucket" {
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
bucket = aws_s3_bucket.mybucket.bucket
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.mykey.arn
sse_algorithm = "aws:kms"
}
}
}
Negative test num. 4 - tf file
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.2.0"
}
}
}
provider "aws" {
# Configuration options
}
resource "aws_s3_bucket" "mybucket22" {
count = 1
bucket = "my-tf-example-bucket"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "example33" {
count = 1
bucket = aws_s3_bucket.mybucket22[count.index].bucket
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}