S3 buckets are not encrypted with KMS
Description
Encrypting your data and resources with KMS helps protect your data from unauthorized access or tampering. By encrypting your data, you can ensure that only authorized users can access and decrypt the data, and that the data is protected while in storage or in transit. Such action can help protect against external threats such as hackers or malware, as well as internal threats such as accidental or unauthorized access.
Code Example
go
resource "aws_s3_bucket" "bucket_name" {
bucket = "bucket_good"
}
+ resource "aws_s3_bucket_server_side_encryption_configuration" "good_sse_1" {
+ bucket = aws_s3_bucket.bucket_name.bucket
+
+ rule {
+ apply_server_side_encryption_by_default {
+ kms_master_key_id = aws_kms_key.mykey.arn
+ sse_algorithm = "aws:kms"
+ }
+ }
+ }Remediation
Terraform
- Resource: aws_s3_bucket
- Arguments: apply_server_side_encryption_by_default.kms_master_key_id
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0195 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_145 |