Unencrypted S3 bucket.
Explanation
S3 Buckets should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular control over access to specific buckets.
Insecure Example
The following example will fail the AWS017 check.
resource "aws_s3_bucket" "my-bucket" {
bucket = "mybucket"
}
Secure Example
The following example will pass the AWS017 check.
resource "aws_s3_bucket" "my-bucket" {
bucket = "mybucket"
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = "arn"
sse_algorithm = "aws:kms"
}
}
}
}