2024-04-11 14:23:07 +00:00
id : s3-server-side-encryption
info :
name : Server-Side Encryption on Amazon S3 Buckets
author : princechaddha
severity : high
description : |
This template verifies if Amazon S3 buckets have server-side encryption enabled for protecting sensitive content at rest, using either AWS S3-managed keys (SSE-S3) or AWS KMS-managed keys (SSE-KMS).
reference :
- https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-encryption.html
2024-06-07 10:04:29 +00:00
metadata :
max-request : 2
2024-04-11 14:23:07 +00:00
tags : cloud,devops,aws,amazon,s3,aws-cloud-config
flow : |
code(1)
for(let bucketName of iterate(template.buckets)){
set("bucket", bucketName)
code(2)
}
self-contained : true
code :
- engine :
- sh
- bash
source : |
aws s3api list-buckets --query 'Buckets[*].Name'
extractors :
- type : json # type of the extractor
internal : true
name : buckets
json :
- '.[]'
- engine :
- sh
- bash
source : |
aws s3api get-bucket-encryption --bucket $bucket
matchers :
- type : word
words :
- "ServerSideEncryptionConfigurationNotFoundError"
extractors :
- type : dsl
dsl :
- '"The S3 bucket " + bucket +" is not encrypted at rest"'
2024-06-08 16:02:17 +00:00
# digest: 4b0a00483046022100b2f7ec06942729d8e4cd463ded9ad780f70660535ae12edcd5371d8c4726b213022100acc1da483bedd46efe1004ba122b638b7e429dcc291052bb7b784f139af5815d:922c64590222798bb761d5b6d8e72950