Unencrypted S3 bucket TF-AWS017
Security
Major
S3 Buckets should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular control over access to specific buckets.
Examples
Bad practice
resource "aws_s3_bucket" "my-bucket" {
bucket = "mybucket"
}
Recommended
resource "aws_s3_bucket" "my-bucket" {
bucket = "mybucket"
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = "arn"
sse_algorithm = "aws:kms"
}
}
}
}