logo

Database

Non-encrypted confidential information - S3 Server Side Encryption

Need

Enforcement of Server-Side Encryption for all S3 buckets

Context

• Usage of Terraform for Infrastructure as Code (IaC)

• Usage of aws-sdk for interacting with Amazon Web Services (AWS) services

Description

1. Non compliant code

resource "aws_s3_bucket" "bucket" {
  bucket = "my-bucket"
  acl    = "private"

  tags = {
    Name        = "My bucket"
    Environment = "Dev"
}...

In the above code, an S3 bucket is being created with the name "my-bucket". The `acl` is set to "private", which means that the bucket is not public and only certain AWS accounts and users have access to it. The `tags` attribute is used to assign metadata to the bucket in the form of key-value pairs. However, the issue here is that the `server_side_encryption_configuration` attribute is not defined, which means that Server-Side Encryption (SSE) is not enabled. SSE is a feature provided by AWS S3 that encrypts data at rest, i.e., when the data is stored on disks in AWS data centers. Without SSE, the data stored in the S3 bucket is not encrypted, making it vulnerable to unauthorized access and data breaches. If an attacker somehow gains access to the S3 bucket, they could read the unencrypted data directly. To fix this vulnerability, the `server_side_encryption_configuration` attribute should be added to the S3 bucket resource, and the `rule` block should be defined with the `apply_server_side_encryption_by_default` attribute, where the `sse_algorithm` is set to "aws:kms" or "AES256".

2. Steps

• Modify the 'aws_s3_bucket' resource block to include the 'server_side_encryption_configuration' argument.

• Set the 'server_side_encryption_configuration' argument to enable server-side encryption for the S3 bucket.

• Choose the appropriate server-side encryption method, such as SSE-S3 or SSE-KMS, based on your requirements.

• Save the changes and apply the updated Terraform configuration to provision the S3 bucket with server-side encryption enabled.

3. Secure code example

resource "aws_s3_bucket" "bucket" {
  bucket = "my-bucket"
  acl    = "private"

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
      }...

The updated code block now includes the `server_side_encryption_configuration` argument within the `aws_s3_bucket` resource block. This argument is used to enable server-side encryption for the S3 bucket. Inside the `server_side_encryption_configuration` block, a `rule` block is defined. This block specifies the encryption rules to be applied to the S3 bucket. Within the `rule` block, the `apply_server_side_encryption_by_default` block is defined. This block is used to specify the server-side encryption method to be used by default for all new objects in the bucket. The `sse_algorithm` argument inside the `apply_server_side_encryption_by_default` block is set to `"AES256"`. This means that the Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) method is used to encrypt the stored objects. The `tags` block remains unchanged. It is used to assign metadata to the S3 bucket in the form of key-value pairs. After saving these changes, you can apply the updated Terraform configuration. This will provision the S3 bucket with server-side encryption enabled, ensuring that all stored objects are encrypted at rest. This significantly reduces the risk of data leaks by attackers or unauthorized users.