OSS Bucket Encryption Using CMK Disabled

  • Query id: f20e97f9-4919-43f1-9be9-f203cd339cdd
  • Query name: OSS Bucket Encryption Using CMK Disabled
  • Platform: Terraform
  • Severity: Medium
  • Category: Encryption
  • CWE: 311
  • URL: Github

Description

OSS Bucket should have encryption enabled using Customer Master Key
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "alicloud_oss_bucket" "bucket_cmk_encryption2" {
  bucket = "bucket-170309-sserule"
  acl    = "private"

  server_side_encryption_rule {
    sse_algorithm = "AES256"
  }
}
Positive test num. 2 - tf file
resource "alicloud_oss_bucket" "bucket_cmk_encryption3" {
  bucket = "bucket-170309-sserule"
  acl    = "private"
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "alicloud_oss_bucket" "bucket_cmk_encryption1" {
  bucket = "bucket-170309-sserule"
  acl    = "private"

  server_side_encryption_rule {
    sse_algorithm     = "KMS"
    kms_master_key_id = "your kms key id"
  }
}