AWS S3 Object Copy not encrypted using Customer Managed Key
Description
This is a simple check to ensure that the S3 Object Copy is using AWS key management - KMS to encrypt its contents. To resolve add the ARN of your KMS or link on creation of the cluster.
Code Example
go
resource "aws_s3_object_copy" "test" {
bucket = "destination_bucket"
key = "destination_key"
source = "source_bucket/source_key"
+ kms_key_id = "aws_kms_key.foo.arn"
grant {
uri = "http://acs.amazonaws.com/groups/global/AllUsers"
type = "Group"
permissions = ["READ"]
}
}Remediation
Terraform
- Resource: aws_s3_object_copy
- Attribute: kms_key_id - (Optional) Specifies the AWS KMS Key ARN to use for object encryption. This value is a fully qualified ARN of the KMS Key.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0230 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_181 |