terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Ensure S3 object copies are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.

Run Locally

Run in CI

Defintion

rules:
  - id: aws-s3-object-copy-encrypted-with-cmk
    patterns:
      - pattern: |
          resource "aws_s3_object_copy" $ANYTHING {
            ...
          }
      - pattern-not-inside: |
          resource "aws_s3_object_copy" $ANYTHING {
            ...
            kms_key_id = ...
            ...
          }
    message: Ensure S3 object copies are encrypted at rest using KMS CMKs. CMKs
      gives you control over the encryption key in terms of access and rotation.
    metadata:
      category: security
      technology:
        - terraform
        - aws
      owasp:
        - A03:2017 - Sensitive Data Exposure
      cwe:
        - "CWE-320: CWE CATEGORY: Key Management Errors"
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    languages:
      - hcl
    severity: WARNING

Examples

aws-s3-object-copy-encrypted-with-cmk.tf

resource "aws_s3_object_copy" "pass" {
  bucket             = aws_s3_bucket.target.bucket
  bucket_key_enabled = true
  key                = "test"
  kms_key_id         = aws_kms_key.test.arn
  source             = "${aws_s3_bucket.source.bucket}/${aws_s3_bucket_object.source.key}"
}
# ruleid: aws-s3-object-copy-encrypted-with-cmk
resource "aws_s3_object_copy" "fail" {
  bucket             = aws_s3_bucket.target.bucket
  bucket_key_enabled = true
  key                = "test"
  source             = "${aws_s3_bucket.source.bucket}/${aws_s3_bucket_object.source.key}"
}