For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-s3-bucket-without-server-side-encryption.md. A documentation index is available at /llms.txt.

S3 bucket without server-side encryption

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-s3-bucket-without-server-side-encryption

Provider: AWS

Platform: CloudFormation

Severity: High

Category: Encryption

Learn More

Description

S3 buckets should have server-side encryption enabled to protect data at rest from unauthorized access. Encryption also helps ensure objects remain encrypted if underlying storage media or backups are compromised.

In CloudFormation, AWS::S3::Bucket resources must define Properties.BucketEncryption.ServerSideEncryptionConfiguration as a non-empty list. Each entry should include ServerSideEncryptionByDefault.SSEAlgorithm set to AES256 or aws:kms. If using aws:kms, also specify ServerSideEncryptionByDefault.KMSMasterKeyID. Resources missing this property, or with an empty ServerSideEncryptionConfiguration, will be flagged.

Secure configuration example:

MyBucket:
  Type: AWS::S3::Bucket
  Properties:
    BucketEncryption:
      ServerSideEncryptionConfiguration:
        - ServerSideEncryptionByDefault:
            SSEAlgorithm: AES256

Compliant Code Examples

#this code is a correct code for which the query should not find any result
AWSTemplateFormatVersion: '2010-09-09'
Description: S3 bucket with default encryption
Resources:
  EncryptedS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName:
        'Fn::Sub': 'encryptedbucket-${AWS::Region}-${AWS::AccountId}'
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: 'aws:kms'
              KMSMasterKeyID: KMS-KEY-ARN
    DeletionPolicy: Delete

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "S3 bucket with default encryption",
  "Resources": {
    "EncryptedS3Bucket": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketName": {
          "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}"
        },
        "BucketEncryption": {
          "ServerSideEncryptionConfiguration": [
            {
              "ServerSideEncryptionByDefault": {
                "SSEAlgorithm": "aws:kms",
                "KMSMasterKeyID": "KMS-KEY-ARN"
              }
            }
          ]
        }
      },
      "DeletionPolicy": "Delete"
    }
  }
}

Non-Compliant Code Examples

#this is a problematic code where the query should report a result(s)
AWSTemplateFormatVersion: '2010-09-09'
Description: S3 bucket without default encryption
Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName:
        'Fn::Sub': 'bucket-${AWS::Region}-${AWS::AccountId}'
    DeletionPolicy: Delete

{
  "Resources": {
    "S3Bucket": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketName": {
          "Fn::Sub": "bucket-${AWS::Region}-${AWS::AccountId}"
        }
      },
      "DeletionPolicy": "Delete"
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "S3 bucket without default encryption"
}