S3 buckets do not have event notifications enabled
Description
This policy detects if the S3 bucket event notifications are not enabled in AWS settings.
Code Example
go
resource "aws_s3_bucket" "bucket" {
bucket = "bucket"
}
resource "aws_sns_topic" "bucket_notifications" {
name = "bucket-notifications"
}
resource "aws_s3_bucket_notification" "bucket_notification" {
bucket = aws_s3_bucket.bucket.id
topic {
topic_arn = aws_sns_topic.bucket_notifications.arn
events = ["s3:ObjectCreated:*"]
filter_prefix = "logs/"
}
}Remediation
Terraform
- Resource: aws_s3_bucket, aws_s3_bucket_notification
- Arguments: queue, lambda_function, topic
The issue can be fixed by enabling event notifications for the S3 bucket. You can do it by using the `aws_s3_bucket_notification` resource where you can specify the type of destination (Amazon SQS, Amazon SNS, or AWS Lambda) where you want Amazon S3 to publish the event.
Secure code example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0496 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_AWS_62 |