config security issue: vault-root and vault-recovery keys are available as plaintext when using unseal feature in certain config

[maratsh]

Bugs should be filed for issues encountered whilst operating bank-vaults.
You should first attempt to resolve your issues through the community support
channels, e.g. Slack, in order to rule out individual configuration errors.
Please provide as much detail as possible.

Describe the bug:
As an engineer, I want to make sure vault installation is secure.

when autounseal stanza is present, vault-root and vault-recovery keys are available as plaintext for any user that have access to s3 bucket. As well as for users without access to KMS.
Turns out, it is possible to configure both kmsid and s3sse options, which will lead to vault-* objects not encrypted.
If I remove s3sse option from config, vault-* objects are uploaded encrypted.

Expected behavior:
It is expected to vault-root, vault-recover-xx be encrypted KMS cipher texts when KMS key is specified. Or throw error when both kmsid and s3sse options are provided. I'm not sure what s3sse option supposed to do. I've expected it enables S3 sse.

Steps to reproduce the bug:
Create vault with awskms autounseal. Try to download vault-root from autounseal s3 bucket

Additional context:
Add any other context about the problem here.

Environment details:

• Kubernetes version : v1.21
• Cloud-provider/provisioner: EKS
• bank-vaults version: : 1.15.3
• Install method (e.g. helm or static manifests): terraform + helm for operator, terraform k8s manifest for vault crd
• Logs from the misbehaving component (and any other relevant logs): n/a
• Resource definition (possibly in YAML format) that caused the issue, without sensitive data:

apiVersion: v1
items:
- apiVersion: vault.banzaicloud.com/v1alpha1
  kind: Vault
  metadata:

    generation: 4
    name: hashicorp-vault
    namespace: 

  spec:
    bankVaultsImage: banzaicloud/bank-vaults:1.15.3
    config:
      listener:
        tcp:
          address: 0.0.0.0:8200
          tls_cert_file: /vault/tls/server.crt
          tls_key_file: /vault/tls/server.key
      seal:
        awskms:
          kms_key_id: xxxx-xxx-xxx-xxx-xxx
          region: eu-west-1
      storage:
        dynamodb:
          ha_enabled: "true"
          region: eu-west-1
          table: storage-backend
      telemetry:
        statsd_address: localhost:9125
      ui: true
    credentialsConfig:
      env: ""
      path: ""
      secretName: ""
    externalConfig:
      policies:
      - name: allow_secrets
        rules: path "secret/*" { capabilities = ["create", "read", "update", "delete",
          "list"] }
      - name: allow_pki
        rules: path "pki/*" { capabilities = ["create", "read", "update", "delete",
          "list"] }
      secrets:
      - description: General secrets.
        options:
          version: 2
        path: secret
        type: kv
    image: docker.io/library/vault:1.11.0
    nodeAffinity: {}
    securityContext: {}
    serviceAccount: hashicorp-vault
    serviceType: ClusterIP
    size: 3
    unsealConfig:
      aws:
        kmsKeyId: xxxx-xxx-xxx-xxx-xxx
        s3Bucket: autounseal
        s3Prefix: ""
        s3SSE: AES256
      kubernetes: {}
      options:
        preFlightChecks: true
    vaultAnnotations:
      type/instance: vault
    vaultConfigurerAnnotations:
      type/instance: vaultconfigurer
    vaultContainerSpec:
      name: ""
      resources: {}
    vaultEnvsConfig:
    - name: VAULT_LOG_LEVEL
      value: debug
    - name: VAULT_API_ADDR
      value: https://vault
  status:
    conditions:
    - status: "True"
      type: Healthy
    leader: hashicorp-vault-2
    nodes:
    - hashicorp-vault-0
    - hashicorp-vault-1
    - hashicorp-vault-2
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

/kind bug

[ramizpolic]

Thanks for reporting @maratsh! We will look into this and verify if it's still present