AWS017 - Unencrypted S3 bucket.

Explanation

S3 Buckets should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular control over access to specific buckets.

Insecure Example

The following example will fail the AWS017 check.

resource "aws_s3_bucket" "bad_example" {
  bucket = "mybucket"
}

Secure Example

The following example will pass the AWS017 check.

resource "aws_s3_bucket" "good_example" {
  bucket = "mybucket"

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "arn"
        sse_algorithm     = "aws:kms"
      }
    }
  }
}

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption
https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html

Getting Started

Checks

Config

GitHub Actions

AWS017 - Unencrypted S3 bucket.

Explanation

Insecure Example

Secure Example

Getting Started

Checks

Config

GitHub Actions

Getting Started

Checks

Config

GitHub Actions

AWS017 - Unencrypted S3 bucket.

Explanation

Insecure Example

Secure Example

Related Links

Getting Started

Checks

Config

GitHub Actions