Closed pingoleon108 closed 2 months ago
Hi @pingoleon108 thank you for reaching out. server_side_encryption_configuration
is deprecated. I have shared the docs for your ref. s3_bucket_server_side_encryption_configuration.
aws_s3_bucket and aws_s3_bucket_logging are different resources.
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging
If you use a logging bucket resource, CKV_AWS_145 policy will not fail and has no effect.
Terraform
resource "aws_s3_bucket_logging" "some-name" {
bucket = aws_s3_bucket.my_bucket.id
target_bucket = "log_destination_bucket"
target_prefix = aws_s3_bucket.my_bucket.id
}
Terraform
Resource: aws_s3_bucket
Arguments: apply_server_side_encryption_by_default.kms_master_key_id
resource "aws_s3_bucket" "bucket_name" {
bucket = "bucket_good"
}
+ resource "aws_s3_bucket_server_side_encryption_configuration" "good_sse_1" {
+ bucket = aws_s3_bucket.bucket_name.bucket
+
+ rule {
+ apply_server_side_encryption_by_default {
+ kms_master_key_id = aws_kms_key.mykey.arn
+ sse_algorithm = "aws:kms"
+ }
+ }
+ }
Thank you!
Describe the issue If it is related to an existing check, please note the relevant check ID. Also, explain the logic for this addition / change. According AWS "Default server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS) is not supported." for logging buckets. The CKV_AWS_145 fails if we don't encrypt logging buckets using KMS https://github.com/bridgecrewio/checkov/blob/64d266dc1b6f99988b7c283801f87a68323f9ab9/checkov/terraform/checks/graph_checks/aws/S3KMSEncryptedByDefault.yaml#L2
Examples Please share an example code sample (in the IaC of your choice) + the expected outcomes. The following code should pass:
resource "aws_s3_bucket" "s3_access_logging_bucket" { bucket = var.name force_destroy = var.force_destroy tags = merge( var.platform_mandatory_tags, { "certified_by" = "team" "created_via" = "Terraform" } )
policy = data.aws_iam_policy_document.final_bucket_policy.json
server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } } }
Version (please complete the following information):
Additional context Add any other context about the problem here.