OSS Bucket Encryption Using CMK Disabled

• Query id: f20e97f9-4919-43f1-9be9-f203cd339cdd
• Query name: OSS Bucket Encryption Using CMK Disabled
• Platform: Terraform
• Severity: Medium
• Category: Encryption
• CWE: 311
• URL: Github

Description

OSS Bucket should have encryption enabled using Customer Master Key
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "alicloud_oss_bucket" "bucket_cmk_encryption2" {
  bucket = "bucket-170309-sserule"
  acl    = "private"

  server_side_encryption_rule {
    sse_algorithm = "AES256"
  }
}

Positive test num. 2 - tf file

resource "alicloud_oss_bucket" "bucket_cmk_encryption3" {
  bucket = "bucket-170309-sserule"
  acl    = "private"
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "alicloud_oss_bucket" "bucket_cmk_encryption1" {
  bucket = "bucket-170309-sserule"
  acl    = "private"

  server_side_encryption_rule {
    sse_algorithm     = "KMS"
    kms_master_key_id = "your kms key id"
  }
}