fix(terraform): сhecking SSE encryption algorithm validity (#6341)

aquasecurity · Mar 26, 2024 · abd62ae · abd62ae
1 parent 7c409fd
commit abd62ae
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 3 deletions.
diff --git a/pkg/iac/adapters/terraform/aws/s3/adapt_test.go b/pkg/iac/adapters/terraform/aws/s3/adapt_test.go
@@ -36,7 +36,7 @@ resource "aws_s3_bucket_public_access_block" "example_access_block"{
 			hasPublicAccess: true,
 		},
 		{
-			desc: "public access block is found when using the bucket name as the lookup",
+			desc: "public access block is found when using the bucket id as the lookup",
 			source: `
 resource "aws_s3_bucket" "example" {
 	bucket = "bucketname"
@@ -254,6 +254,33 @@ func Test_Adapt(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "non-valid SSE algorithm",
+			terraform: `
+resource "aws_s3_bucket" "this" {
+  bucket = "test"
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
+  bucket = aws_s3_bucket.this.id
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = ""
+    }
+  }
+}`,
+			expected: s3.S3{
+				Buckets: []s3.Bucket{
+					{
+						Name: iacTypes.String("test", iacTypes.NewTestMetadata()),
+						Encryption: s3.Encryption{
+							Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
+						},
+						ACL: iacTypes.String("private", iacTypes.NewTestMetadata()),
+					},
+				},
+			},
+		},
 	}
 
 	for _, test := range tests {

diff --git a/pkg/iac/adapters/terraform/aws/s3/bucket.go b/pkg/iac/adapters/terraform/aws/s3/bucket.go
@@ -1,6 +1,10 @@
 package s3
 
 import (
+	"slices"
+
+	s3types "github.com/aws/aws-sdk-go-v2/service/s3/types"
+
 	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/s3"
 	"github.com/aquasecurity/trivy/pkg/iac/terraform"
 	iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
@@ -194,11 +198,13 @@ func isEncrypted(sseConfgihuration *terraform.Block) iacTypes.BoolValue {
 		sseConfgihuration,
 		"rule.apply_server_side_encryption_by_default.sse_algorithm",
 		func(attr *terraform.Attribute, parent *terraform.Block) iacTypes.BoolValue {
-			if attr.IsNil() {
+			if attr.IsNil() || !attr.IsString() {
 				return iacTypes.BoolDefault(false, parent.GetMetadata())
 			}
+			algoVal := attr.Value().AsString()
+			isValidAlgo := slices.Contains(s3types.ServerSideEncryption("").Values(), s3types.ServerSideEncryption(algoVal))
 			return iacTypes.Bool(
-				true,
+				isValidAlgo,
 				attr.GetMetadata(),
 			)
 		},