2024-04-11 14:23:07 +00:00
id : s3-server-side-encryption
info :
name : Server-Side Encryption on Amazon S3 Buckets
author : princechaddha
severity : high
description : |
This template verifies if Amazon S3 buckets have server-side encryption enabled for protecting sensitive content at rest, using either AWS S3-managed keys (SSE-S3) or AWS KMS-managed keys (SSE-KMS).
reference :
- https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-encryption.html
2024-06-07 10:04:29 +00:00
metadata :
max-request : 2
2024-04-11 14:23:07 +00:00
tags : cloud,devops,aws,amazon,s3,aws-cloud-config
flow : |
code(1)
for(let bucketName of iterate(template.buckets)){
set("bucket", bucketName)
code(2)
}
self-contained : true
code :
- engine :
- sh
- bash
source : |
aws s3api list-buckets --query 'Buckets[*].Name'
extractors :
- type : json # type of the extractor
internal : true
name : buckets
json :
- '.[]'
- engine :
- sh
- bash
source : |
aws s3api get-bucket-encryption --bucket $bucket
matchers :
- type : word
words :
- "ServerSideEncryptionConfigurationNotFoundError"
extractors :
- type : dsl
dsl :
- '"The S3 bucket " + bucket +" is not encrypted at rest"'
2024-04-11 14:25:25 +00:00
# digest: 490a0046304402203e012cd857cace30b445932f893b9bd0f7bc709eec9f6cb5689fd30a520525e0022029cde524c58042593e654d36bfd7dcfb81b9508c534ec7750afe9ff96ad921d1:922c64590222798bb761d5b6d8e72950
