S3 Bucket SSE Disabled

  • Query id: 64ab651b-f5b2-4af0-8c89-ddd03c4d0e61
  • Query name: S3 Bucket SSE Disabled
  • Platform: CloudFormation
  • Severity: High
  • Category: Encryption
  • URL: Github

Description

If the master key is null, empty, or undefined, then the SSE algorithm should be AES256. Conversely, if the SSE algorithm is AES256, then the master key should be null, empty, or undefined.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "S3 bucket with default encryption",
  "Resources": {
      "EncryptedS3Bucket": {
          "Type": "AWS::S3::Bucket",
          "Properties": {
              "BucketName": {
                  "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}"
              },
              "BucketEncryption": {
                  "ServerSideEncryptionConfiguration": [
                      {
                          "ServerSideEncryptionByDefault": {
                              "SSEAlgorithm": "aws:kms"
                          }
                      }
                  ]
              }
          },
          "DeletionPolicy": "Delete"
      }
  }
}
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: S3 bucket with default encryption
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName:
        'Fn::Sub': 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'aws:kms'
    DeletionPolicy: Delete
Positive test num. 3 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "S3 bucket with default encryption",
  "Resources": {
      "EncryptedS3Bucket": {
          "Type": "AWS::S3::Bucket",
          "Properties": {
              "BucketName": {
                  "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}"
              },
              "BucketEncryption": {
                  "ServerSideEncryptionConfiguration": [
                      {
                          "ServerSideEncryptionByDefault": {
                              "SSEAlgorithm": "AES256",
                              "KMSMasterKeyID": "KMS-KEY-ARN"
                          }
                      }
                  ]
              }
          },
          "DeletionPolicy": "Delete"
      }
  }
}

Positive test num. 4 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: S3 bucket with default encryption
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName:
        'Fn::Sub': 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'AES256'
              KMSMasterKeyID: KMS-KEY-ARN
    DeletionPolicy: Delete

Code samples without security vulnerabilities

Negative test num. 1 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "S3 bucket with default encryption",
  "Resources": {
      "EncryptedS3Bucket": {
          "Type": "AWS::S3::Bucket",
          "Properties": {
              "BucketName": {
                  "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}"
              },
              "BucketEncryption": {
                  "ServerSideEncryptionConfiguration": [
                      {
                          "ServerSideEncryptionByDefault": {
                              "SSEAlgorithm": "aws:kms",
                              "KMSMasterKeyID": "KMS-KEY-ARN"
                          }
                      }
                  ]
              }
          },
          "DeletionPolicy": "Delete"
      }
  }
}
Negative test num. 2 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Description: S3 bucket with default encryption
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName:
        'Fn::Sub': 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'aws:kms'
              KMSMasterKeyID: KMS-KEY-ARN
    DeletionPolicy: Delete