terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket
semgrep
Author
unknown
Download Count*
License
This rule has been deprecated, as all s3 buckets are encrypted by default with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration for more info.
Run Locally
Run in CI
Defintion
rules:
- id: s3-unencrypted-bucket
patterns:
- pattern: a
- pattern: b
languages:
- hcl
severity: INFO
message: This rule has been deprecated, as all s3 buckets are encrypted by
default with no way to disable it. See
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration
for more info.
metadata:
references:
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html
cwe:
- "CWE-311: Missing Encryption of Sensitive Data"
category: security
technology:
- terraform
- aws
owasp:
- A03:2017 - Sensitive Data Exposure
- A04:2021 - Insecure Design
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
deprecated: true
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
Examples
s3-unencrypted-bucket.tf
resource "aws_s3_bucket" "unencrypted" {
# ok: s3-unencrypted-bucket
bucket = "my-unencrypted-bucket"
acl = "private"
}
# ok: s3-unencrypted-bucket
resource "aws_s3_bucket" "bucket" {
bucket = "my-encrypted-bucket"
acl = "private"
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
}
Short Link: https://sg.run/Jezw