---
title: S3 bucket without server-side encryption
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > S3 bucket without server-side encryption
---

# S3 bucket without server-side encryption

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `594f54e7-f744-45ab-93e4-c6dbaf6cd571`

**Cloud Provider:** AWS

**Platform:** Ansible

**Severity:** High

**Category:** Encryption

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html)

### Description{% #description %}

S3 buckets should have server-side encryption (SSE) enabled to protect data at rest and prevent exposure of sensitive objects if a bucket is misconfigured or storage media is accessed.

For Ansible tasks using the amazon.aws.s3_bucket or s3_bucket modules, the `encryption` property must not be set to `'none'` and should be configured to a valid SSE algorithm such as `'AES256'` or `'aws:kms'`. Resources that omit the `encryption` property or explicitly set `encryption: 'none'` are flagged.

When using `'aws:kms'`, also specify and manage a KMS key (for example via `kms_key_id`) to retain control over encryption keys and meet organizational access requirements.

Secure example using KMS-managed keys:

```yaml
- name: Create S3 bucket with KMS encryption
  amazon.aws.s3_bucket:
    name: my-secure-bucket
    encryption: aws:kms
    kms_key_id: arn:aws:kms:us-east-1:123456789012:key/abcd-ef01-2345-6789
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: Create a simple s3 bucket v2
  amazon.aws.s3_bucket:
    name: mys3bucket
    state: present
    encryption: aws:kms
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: Create a simple s3 bucket
  amazon.aws.s3_bucket:
    name: mys3bucket
    state: present
    encryption: "none"
```