github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/avd_docs/aws/s3/AVD-AWS-0088/Terraform.md (about) 1 2 Configure bucket encryption 3 4 ```hcl 5 resource "aws_s3_bucket" "good_example" { 6 bucket = "mybucket" 7 8 server_side_encryption_configuration { 9 rule { 10 apply_server_side_encryption_by_default { 11 kms_master_key_id = "arn" 12 sse_algorithm = "aws:kms" 13 } 14 } 15 } 16 } 17 18 ``` 19 ```hcl 20 resource "aws_s3_bucket" "good_example" { 21 bucket = "mybucket" 22 23 # ... other configuration ... 24 } 25 26 resource "aws_s3_bucket_server_side_encryption_configuration" "example" { 27 bucket = aws_s3_bucket.good_example.id 28 29 rule { 30 apply_server_side_encryption_by_default { 31 kms_master_key_id = aws_kms_key.mykey.arn 32 sse_algorithm = "aws:kms" 33 } 34 } 35 } 36 37 ``` 38 ```hcl 39 terraform { 40 required_version = ">= 1.0, < 2.0" 41 42 required_providers { 43 aws = ">= 4.0" 44 } 45 } 46 47 resource "aws_kms_key" "s3_key" { 48 description = "This key is used to encrypt S3 bucket objects" 49 enable_key_rotation = true 50 } 51 52 module "s3_bucket" { 53 source = "terraform-aws-modules/s3-bucket/aws" 54 version = "~> 3.0" 55 56 bucket = "my_bucket" 57 acl = "private" 58 force_destroy = true 59 restrict_public_buckets = true 60 ignore_public_acls = true 61 block_public_policy = true 62 block_public_acls = true 63 64 versioning = { 65 enabled = true 66 } 67 68 server_side_encryption_configuration = { 69 rule = { 70 apply_server_side_encryption_by_default = { 71 sse_algorithm = "aws:kms" 72 kms_master_key_id = aws_kms_key.s3_key.arn 73 } 74 } 75 } 76 77 } 78 79 ``` 80 81 #### Remediation Links 82 - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption 83