search

tenable / terrascan

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
https://runterrascan.io
Apache License 2.0
4.75k stars 499 forks source link

Ensure S3 object is Encrypted #876

Open frediana opened 3 years ago

frediana commented 3 years ago

Description

Given an AWS S3 bucket encrypted using KMS defined as this using terraform:

resource "aws_s3_bucket" "foo" {
...
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "my_kms_key"
        sse_algorithm     = "aws:kms"
      }
      bucket_key_enabled = false
    }
  }
...
}

And given a key uploaded to this same bucket:

resource "aws_s3_bucket_object" "index" {
  bucket                 = aws_s3_bucketfoo.id
  key                    = "index.html"
  source                 = "${path.module}/index.html"
  etag                   = filemd5("${path.module}/index.html")
  content_type           = "text/html"
}

What I Did

running a terrascan scan for this raise the following issue:

    Description    :    Ensure S3 object is Encrypted
    File           :    ../../front/storage.tf
    Line           :    44
    Severity       :    MEDIUM

While it should not, since the bucket itself is encrypted, the object upload to it are encrypted too.

I would be happy to contribute if this issue is confirmed

Adrien

harkirat22 commented 3 years ago

@frediana yes this is a valid issue. Thanks for raising this. Absolutely, we would love to see your contribution.