Difference between revisions of "Terraform aws s3 bucket encryption resource always associated"
Jump to navigation
Jump to search
(Created page with " {{coguard}}") |
|||
| (12 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | {{lc}} | ||
| + | <code>terraform_aws_s3_bucket_encryption_resource_always_associated</code> | ||
| − | {{coguard}} | + | |
| + | * https://www.coguard.io/post/dangerous-defaults-2-msk-uptime-or-data-integrity | ||
| + | |||
| + | Documentation: Data stored on S3 buckets can be [[encrypted at rest]]. It is | ||
| + | recommended to always have these encrypted. In Terraform, for | ||
| + | every `[[aws_s3_bucket]]` definition, one needs to define a | ||
| + | `aws_s3_bucket_server_side_encryption_configuration` definition | ||
| + | which contains a rule to apply server side encryption. This rule | ||
| + | checks if every S3 bucket has indeed such a definition. It is to | ||
| + | be remarked that there is also a deprecated possibility to define | ||
| + | a `server_side_encryption_configuration` block inside the | ||
| + | `aws_s3_bucket` resource. This should be avoided and transformed | ||
| + | into an external resource of type | ||
| + | `aws_s3_bucket_server_side_encryption_configuration`. | ||
| + | |||
| + | Remediation: For every resource of type `aws_s3_bucket`, ensure | ||
| + | that there is an associated | ||
| + | `aws_s3_bucket_server_side_encryption_configuration` resource | ||
| + | defined. Inside this resource, under the `rule` section, there | ||
| + | needs to be the `apply_server_side_encryption_by_default` block | ||
| + | present. Source: https://registry.terraform.io/providers/hashic | ||
| + | orp/aws/latest/docs/resources/s3_bucket_server_side_encryption_co | ||
| + | nfiguration | ||
| + | |||
| + | == Related == | ||
| + | * <code>[[aws_s3_bucket_server_side_encryption_configuration]]</code> | ||
| + | |||
| + | |||
| + | == See also == | ||
| + | * {{aws_s3_bucket_server_side_encryption_configuration}} | ||
| + | * {{coguard}} | ||
| + | |||
| + | [[Category:S3]] | ||
Latest revision as of 11:55, 9 July 2024
terraform_aws_s3_bucket_encryption_resource_always_associated
Documentation: Data stored on S3 buckets can be encrypted at rest. It is recommended to always have these encrypted. In Terraform, for every `aws_s3_bucket` definition, one needs to define a `aws_s3_bucket_server_side_encryption_configuration` definition which contains a rule to apply server side encryption. This rule checks if every S3 bucket has indeed such a definition. It is to be remarked that there is also a deprecated possibility to define a `server_side_encryption_configuration` block inside the `aws_s3_bucket` resource. This should be avoided and transformed into an external resource of type `aws_s3_bucket_server_side_encryption_configuration`.
Remediation: For every resource of type `aws_s3_bucket`, ensure
that there is an associated
`aws_s3_bucket_server_side_encryption_configuration` resource
defined. Inside this resource, under the `rule` section, there
needs to be the `apply_server_side_encryption_by_default` block
present. Source: https://registry.terraform.io/providers/hashic
orp/aws/latest/docs/resources/s3_bucket_server_side_encryption_co
nfiguration
Related[edit]
See also[edit]
Advertising:
