Description

Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

Resolution: Enable encryption using customer managed keys.

Examples

The following example will fail the aws-s3-encryption-customer-key check.

resource "aws_s3_bucket" "bad_exampl" {
   bucket = "mybucket"

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm     = "AES256"
      }
    }
  }
}

The following example will pass the aws-s3-encryption-customer-key check.

resource "aws_kms_key" "good_example" {
  enable_key_rotation = true
}

resource "aws_s3_bucket" "good_example" {
   bucket = "mybucket"
 
   server_side_encryption_configuration {
     rule {
       apply_server_side_encryption_by_default {
         kms_master_key_id = aws_kms_key.example.arn
         sse_algorithm     = "aws:kms"
       }
     }
   }
 }

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Files

aws-s3-encryption-customer-key.md

aws-s3-encryption-customer-key.md

Description

Examples

Further reading

Files

aws-s3-encryption-customer-key.md

Latest commit

History

aws-s3-encryption-customer-key.md

File metadata and controls

Description

Examples

Further reading