query(all): deprecate "S3 Bucket SSE Disabled" about kics HOT 6 CLOSED

hi @joshsizer @Tohar-orca ,

Our AppSec team agrees on removing the mentioned queries. We have a PR to deal with it.
Thank you!

from kics.

I agree, this is a message that I'll always dismiss as a false-positive

from kics.

Hi @Tohar-orca @joshsizer ,

Thanks for your feedback! Our AppSec team is analyzing it. We will give you our feedback as soon as we get the info from AppSec team.

from kics.

Hi @Tohar-orca @joshsizer ,

Our internal AppSec team provided the following feedback:

This change will indeed bring default encryption for Amazon S3 new objects. Anyway, if we look at the shared documentation, existing unencrypted buckets and objects will not be changed.

Is default encryption enabled on my existing buckets that don't have default encryption configured?

Yes. Amazon S3 now configures default encryption on all existing unencrypted buckets to apply server-side encryption with S3 managed keys (SSE-S3) as the base level of encryption for new objects uploaded to these buckets. Objects that are already in an existing unencrypted bucket won't be automatically encrypted.

Will Amazon S3 encrypt my existing objects that are unencrypted?

No. Beginning on January 5, 2023, Amazon S3 only automatically encrypts new object uploads. To encrypt existing objects, you can use S3 Batch Operations to create encrypted copies of your objects.

With this in mind, I recommend that we make some changes in our query (if feasible) to simply identify the S3 and objects that are configured without SSE.

Since our AppSec team recommends to "make some changes in our query", means their perspective is to not deprecate the following queries for now:

• assets/queries/ansible/aws/s3_bucket_sse_disabled
• assets/queries/cloudFormation/aws/s3_bucket_sse_disabled
• assets/queries/terraform/aws/s3_bucket_sse_disabled

What is your perspective on this?

from kics.

Thanks for the response, @gabriel-cx

The way I read the AWS response on S3 default encryption, it would appear that static analysis of S3 buckets cannot indicate if an S3 bucket has unencrypted objects in it.

All buckets, created before or after January 5, 2023, will have SSE enabled. Therefore, the SSE Bucket SSE Disabled finding will never be true.

From AWS documentation:

Can I disable encryption for the new objects being written to my bucket?

No. SSE-S3 is the new base level of encryption that's applied to all the new objects being uploaded to your bucket. You can no longer disable encryption for new object uploads.

Based on this information, I don't believe there is a case in configuration where S3 buckets will not have encryption enabled, and therefore the warning SSE Bucket SSE Disabled will always be a false positive.

As an example using Terraform, currently to resolve this finding, one must add aws_s3_bucket_server_side_encryption_configuration. In regards to security, this block is uneeded, since S3 buckets have an implicit S3-SSE encryption enabled by default for all current and new buckets. As a user of kics, I find it cumbersome to have to either add this configuration block (which doesn't materially improve data security), or dismiss the finding manually.

from kics.

@joshsizer thank you for your feedback again on this!

I opened a ticket so our AppSec team can give us feedback regarding your perspective. I will update you as soon as i get the information.

(APPSEC-2341)

from kics.