Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(cloudformation): s3 bucket setup with KMS managed encryption w/o KMS key yields S3 Bucket SSE Disabled #6953

Closed
kylos101 opened this issue Mar 15, 2024 · 2 comments · Fixed by #6932
Closed

bug(cloudformation): s3 bucket setup with KMS managed encryption w/o KMS key yields S3 Bucket SSE Disabled #6953

kylos101 opened this issue Mar 15, 2024 · 2 comments · Fixed by #6932
Labels
aws PR related with AWS Cloud bug Something isn't working cloudformation CloudFormation query community Community contribution docker Docker query query New query feature

Comments

@kylos101
Copy link

kylos101 commented Mar 15, 2024
edited

Hi there, let me know what you think?

I figure I'm missing something, or, the issue should be removed / severity reduced for this particular scenario. In other words, AWS forces encryption if a key is omitted.

The query that relates to this is https://docs.kics.io/latest/queries/cloudformation-queries/aws/64ab651b-f5b2-4af0-8c89-ddd03c4d0e61/.

Expected Behavior

Not a high severity issue, at least, in this particular case. For now I've excluded the query.

Why? If you don't specify a KMS key at configuration, AWS automatically adds one. (ref)

Actual Behavior

The issue is classified as High severity

Steps to Reproduce the Problem

  1. Given CF to create a bucket like:
{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Resources": {
      "MyS3Bucket": {
        "Type": "AWS::S3::Bucket",
        "Properties": {
          "BucketEncryption": {
            "ServerSideEncryptionConfiguration": [
              {
                "ServerSideEncryptionByDefault": {
                  "SSEAlgorithm": "aws:kms"
                },
                "BucketKeyEnabled": false
              }
            ]
          }
        }
      }
    }
  }
  1. The AWS CLI will can be used to check for encryption aws s3api get-bucket-encryption --bucket <bucket-name> and returns:
{
    "ServerSideEncryptionConfiguration": {
        "Rules": [
            {
                "ApplyServerSideEncryptionByDefault": {
                    "SSEAlgorithm": "aws:kms"
                },
                "BucketKeyEnabled": false
            }
        ]
    }
}
  1. Scan it with KICS, you should be back something like the following in the result file:

To scan it:

docker run -t -v ./:/path checkmarx/kics:latest scan -t CloudFormation -p /path -o "/path/"         --fail-on=high --exclude-severities=low,info,medium --exclude-paths=/path/*canonical* --log-level=DEBUG
{
	"file_name": "../../path/foo-brick.template.json",
	"similarity_id": "00a648b0c2facda223d98136e0519c9c21830a79fe5d8c1414052657f8fc3d19",
	"line": 4212,
	"resource_type": "AWS::S3::Bucket",
	"resource_name": "brickservice",
	"issue_type": "IncorrectValue",
	"search_key": "Resources.brickservice.Properties.BucketEncryption.ServerSideEncryptionConfiguration.ServerSideEncryptionByDefault.SSEAlgorithm",
	"search_line": -1,
	"search_value": "",
	"expected_value": "Resources.brickservice.Properties.BucketEncryption.ServerSideEncryptionConfiguration.ServerSideEncryptionByDefault.SSEAlgorithm is 'AES256'",
	"actual_value": "Resources.brickservice.Properties.BucketEncryption.ServerSideEncryptionConfiguration.ServerSideEncryptionByDefault.SSEAlgorithm is 'aws:kms'"
}

Specifications

(N/A if not applicable)

  • Version: Keeping Infrastructure as Code Secure v1.7.13
  • Platform: Ubuntu 22.04.3 LTS
  • Subsystem: n/a
@kylos101 kylos101 added bug Something isn't working community Community contribution labels Mar 15, 2024
@github-actions github-actions bot added cloudformation CloudFormation query docker Docker query aws PR related with AWS Cloud query New query feature labels Mar 15, 2024
@cx-ruiaraujo cx-ruiaraujo mentioned this issue May 16, 2024
Merged
@cx-ruiaraujo
Copy link
Contributor

Hi @kylos101,

We had a similar issue last month and our AppSec team agreed to remove this query for the supported platforms (Ansible, CloudFormation and Terraform).
I linked the PR to this case. It has already been deployed in KICS version 2.0.0.

Thank you!

@kylos101
Copy link
Author

Hi @cx-ruiaraujo , thank you so much for the heads up! Appreciate it. 🥳

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
aws PR related with AWS Cloud bug Something isn't working cloudformation CloudFormation query community Community contribution docker Docker query query New query feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

update(query): s3 bucket sse bucket disabled queries deprecated Checkmarx/kics
2 participants
@kylos101 @cx-ruiaraujo