github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/s3/enable_bucket_encryption.tf.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/s3/enable_bucket_encryption.tf.go (about)

     1  package s3
     2  
     3  var terraformEnableBucketEncryptionGoodExamples = []string{
     4  	`
     5   resource "aws_s3_bucket" "good_example" {
     6     bucket = "mybucket"
     7   
     8     server_side_encryption_configuration {
     9       rule {
    10         apply_server_side_encryption_by_default {
    11           kms_master_key_id = "arn"
    12           sse_algorithm     = "aws:kms"
    13         }
    14       }
    15     }
    16   }
    17   `, `
    18   resource "aws_s3_bucket" "good_example" {
    19     bucket = "mybucket"
    20   
    21     # ... other configuration ...
    22   }
    23   
    24   resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
    25     bucket = aws_s3_bucket.good_example.id
    26   
    27     rule {
    28       apply_server_side_encryption_by_default {
    29         kms_master_key_id = aws_kms_key.mykey.arn
    30         sse_algorithm     = "aws:kms"
    31       }
    32     }
    33   }
    34   `,
    35  	`
    36  terraform {
    37    required_version = ">= 1.0, < 2.0"
    38  
    39    required_providers {
    40      aws = ">= 4.0"
    41    }
    42  }
    43  
    44  resource "aws_kms_key" "s3_key" {
    45    description         = "This key is used to encrypt S3 bucket objects"
    46    enable_key_rotation = true
    47  }
    48  
    49  module "s3_bucket" {
    50    source  = "terraform-aws-modules/s3-bucket/aws"
    51    version = "~> 3.0"
    52  
    53    bucket                  = "my_bucket"
    54    acl                     = "private"
    55    force_destroy           = true
    56    restrict_public_buckets = true
    57    ignore_public_acls      = true
    58    block_public_policy     = true
    59    block_public_acls       = true
    60  
    61    versioning = {
    62      enabled = true
    63    }
    64  
    65    server_side_encryption_configuration = {
    66      rule = {
    67        apply_server_side_encryption_by_default = {
    68          sse_algorithm     = "aws:kms"
    69          kms_master_key_id = aws_kms_key.s3_key.arn
    70        }
    71      }
    72    }
    73  
    74  }
    75  `,
    76  }
    77  
    78  var terraformEnableBucketEncryptionBadExamples = []string{
    79  	`
    80   resource "aws_s3_bucket" "bad_example" {
    81     bucket = "mybucket"
    82   }
    83   `, `
    84   resource "aws_s3_bucket" "example" {
    85     bucket = "yournamehere"
    86   
    87     # ... other configuration ...
    88   }
    89  
    90   `,
    91  }
    92  
    93  var terraformEnableBucketEncryptionLinks = []string{
    94  	`https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption`,
    95  }
    96  
    97  var terraformEnableBucketEncryptionRemediationMarkdown = ``