S3 Bucket SSE disabled

ID

aws_s3_bucket_sse_disabled

Severity

high

Vendor

AWS

Resource

Encryption

Tags

reachable

Description

S3 Bucket SSE disabled. If algorithm is AES256 then the encryption_key_id property is null, empty or undefined, otherwise the encryption_key_id is required.

To fix it you must configure encryption_key_id.

Learn more about this topic at AWS S3 Bucket encryption.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - amazon.aws.s3_bucket:
        name: mys3bucket
        state: present
        encryption: "aws:kms"

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - amazon.aws.s3_bucket:
        name: mys3bucket
        state: present
        encryption: "aws:kms"
        encryption_key_id: "arn:aws:kms:us-east-1:1234/5678example"