aws-s3-unencrypted-at-rest¶
Ensure all data stored in the S3 bucket is securely encrypted at rest
When sse_algorithm is set to "AES256" and kms_master_key_id isn't specified, AWS will enable disk-level encryption with the "alias/aws/s3" AWS Managed Key. This is not something that needs to be set up, AWS will manage this key automatically. (You can choose to set the kms_master_key_id to your own Customer Managed Key by changing the value, but this is more involved).
Examples¶
Insecure Example
resource "aws_s3_bucket" "mybucket" {
bucket = "mybucket"
}
"Resources": {
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": "DOC-EXAMPLE-BUCKET"
}
}
}
Secure Example
resource "aws_s3_bucket" "mybucket" {
bucket = "mybucket"
# provides encryption at-rest without any maintenance required
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
}
resource "aws_s3_bucket" "mybucket" {
bucket = "mybucket"
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.mykey.arn
sse_algorithm = "aws:kms"
}
}
}
}
"Resources": {
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Delete",
"Properties": {
"BucketName": "DOC-EXAMPLE-BUCKET",
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
}
}
}
}
"Resources": {
"S3Bucket": {
"Type": "AWS::S3::Bucket",
"DeletionPolicy": "Delete",
"Properties": {
"BucketName": "DOC-EXAMPLE-BUCKET",
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "aws:kms",
"KMSMasterKeyID": "KMS-KEY-ARN"
}
}
]
}
}
}
}