S3 Encryption Does Not Use Customer Managed Keys

Using default S3 encryption does not provide fine grained access control. A customer managed key provide more granular control over S3 encryption.

=== Recommendation

resource "aws_kms_key" "mykey" {
  description             = "This key is used to encrypt bucket objects"
  deletion_window_in_days = 10
}

resource "aws_s3_bucket" "mybucket" {
  bucket = "mybucket"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
  bucket = aws_s3_bucket.mybucket.id

  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = aws_kms_key.mykey.arn
      sse_algorithm     = "aws:kms"
    }
  }
}

Reference: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration

Metadata

Severity: informational
Slug: s3-encryption-does-not-use-customer-managed-keys

OWASP

A05:2021: Security Misconfiguration

Available Labs

Open Aws labs in SecDim Play for this vulnerability.

easy

S3.aws

Other Easy AWS Terraform

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.