S3 bucket is not encrypted Affecting S3 service in AWS

Snyk CCSS

Data / Encryption at Rest

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

AWS-Well-Architected CIS-AWS CIS-Controls CSA-CCM GDPR HIPAA ISO-27001 NIST-800-53 SOC-2

Snyk ID SNYK-CC-00022
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Enabling server-side encryption (SSE) on S3 buckets at the object level protects data at rest and helps prevent the breach of sensitive information assets. Objects can be encrypted with S3 Managed Keys (SSE-S3), KMS Managed Keys (SSE-KMS), or Customer Provided Keys (SSE-C).

How to fix?

In the aws_s3_bucket, define a rule in the server_side_encryption_configuration block.

Example Configuration

resource "aws_kms_key" "mykey" {
  # other required fields here
}
resource "aws_s3_bucket" "bucket" {
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "${aws_kms_key.mykey.arn}"
        sse_algorithm     = "aws:kms"
      }
    }
  }
  # other required fields here
}

Terraform

Resource: aws_s3_bucket

References

Enabling Amazon S3 default bucket encryption