Terraform Server Side Encryption Disabled
Description
Identifies AWS S3 buckets that have server-side encryption (SSE) explicitly disabled through bucket policies in Terraform configurations. When S3 bucket encryption is disabled, data stored in the bucket is not automatically encrypted at rest, which could lead to unauthorized access to sensitive information.
Weakness:
099 - Non-encrypted confidential information - S3 Server Side Encryption
Category: Information Collection
Detection Strategy
• Examines Terraform resource blocks defining AWS S3 bucket policies
• Identifies bucket policy statements that explicitly deny or override default encryption settings
• Reports a vulnerability when a bucket policy is found that could prevent server-side encryption from being applied
Vulnerable code example
resource "aws_s3_bucket_policy" "vulnerable_example" {
bucket = "my-bucket"
policy = jsonencode({ # Vulnerable: Policy allows access when server-side encryption is not present
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"...✅ Secure code example
resource "aws_s3_bucket_policy" "secure_example" {
bucket = "my-bucket"
policy = jsonencode({
Version = "2012-10-17"
Id = "EnforceServerSideEncryption"
Statement = [
{...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.