logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecure encryption algorithm - Default encryption - Aws

Need

Implementation of customer-controlled keys for encryption

Context

  1. Usage of Terraform for Infrastructure as Code (IaC)
  2. Usage of aws_s3_bucket for interacting with Amazon S3 buckets

Description

Insecure Code Example

resource "aws_s3_bucket" "bucket" {
  bucket = "my-bucket"
  acl    = "private"

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "alias/aws/s3"
        sse_algorithm     = "aws:kms"
      }
    }
  }
}

In this Terraform code, an S3 bucket is being created with server-side encryption enabled. However, the encryption is configured to use the default AWS KMS key (`alias/aws/s3`). This is an insecure practice as the default keys are managed by AWS and not the customer. The `kms_master_key_id` parameter is set to `alias/aws/s3`, which refers to the default AWS-managed KMS key for S3. The `sse_algorithm` parameter is set to `aws:kms`, indicating that AWS KMS is being used for the server-side encryption. The problem with this code is that it does not provide the full benefits of the AWS KMS service. Specifically, it does not allow the customer to control and manage their own encryption keys. This can limit the customer's ability to comply with certain security and compliance requirements. Furthermore, if the default AWS-managed key is compromised, all data encrypted with that key could be at risk. By contrast, if a customer-managed key is compromised, only the data encrypted with that specific key would be at risk.

Steps

  1. Create a Customer Managed Key (CMK) in AWS Key Management Service (KMS).
  2. Replace the 'kms_master_key_id' value with the ARN of the CMK created in step 1.
  3. Update the 'sse_algorithm' value to 'aws:kms'.
  4. Save and apply the changes to the code.

Secure Code Example

resource "aws_kms_key" "my_key" {
  description             = "My KMS key for S3 bucket encryption"
  deletion_window_in_days = 7
}

resource "aws_s3_bucket" "bucket" {
  bucket = "my-bucket"
  acl    = "private"

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = aws_kms_key.my_key.arn
        sse_algorithm     = "aws:kms"
      }
    }
  }
}

The above code first creates a Customer Managed Key (CMK) using the `aws_kms_key` resource. The `description` attribute is used to provide a description for the key and `deletion_window_in_days` attribute is used to specify the number of days to retain the key after deletion. Then, the `aws_s3_bucket` resource is used to create an S3 bucket with the name "my-bucket". The `acl` attribute is set to "private" to ensure that the bucket is not publicly accessible. In the `server_side_encryption_configuration` block, the `rule` block is used to apply server-side encryption by default. The `kms_master_key_id` attribute is set to the ARN of the CMK created earlier, and the `sse_algorithm` attribute is set to "aws:kms" to specify that AWS KMS should be used for encryption. This way, instead of using the default AWS managed keys, a customer managed key is used for encryption, which provides more control and security.

References

  • 411 - Insecure encryption algorithm - Default encryption

    • Last updated

    2023/09/18