S3 Storage is not protected with SSE

ID

aws_s3_bucket_without_encryption

Severity

critical

Vendor

AWS

Resource

Encryption

Tags

reachable

Description

S3 Storage is not protected with SSE. The storage is in plain text, then any user with access to the data can see the content.

To fix it you must configure encryption with AES256 or aws:kms.

Learn more about this topic at AWS S3 Bucket encryption.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - amazon.aws.s3_bucket:
        name: mys3bucket
        state: present
        encryption: "none"

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - amazon.aws.s3_bucket:
        name: mys3bucket
        state: present
        encryption: "aws:kms"
        encryption_key_id: "arn:aws:kms:us-east-1:1234/5678example"