Ensure S3 buckets are encrypted with KMS by default
    Resource: aws_s3_bucket.example_destination | Bridgecrew ID: BC_AWS_GENERAL_56 | Checkov ID: CKV_AWS_145

Description

  Ensure AWS S3 object versioning is enabled
    Resource: aws_s3_bucket.example_destination | Bridgecrew ID: BC_AWS_S3_16 | Checkov ID: CKV_AWS_21

Benchmarks

• PCI-DSS V3.2.1 10.5.3
• FEDRAMP (MODERATE) CP-10, SI-12

  AWS resources that support tags do not have Tags
    Resource: aws_iam_role.example_replication | Checkov ID: CKV_AWS_CUSTOM_1

How to Fix

resource "aws_security_group" "sg" {
  name = "my-sg"
  ...
+ tags = {
+   Environment = "dev"
+   Owner = "apps-team"
+ }
}

Description

Many AWS resources support tags. Without tags, it is difficult to organize, manage and track resources.
Tags allow you to add metadata to a resource to help identify ownership, perform cost / billing analysis, and to enrich a resource with other valuable information, such as descriptions and environment names.

While there are many ways that tags can be used, we recommend you follow a tagging practice.
View AWS's recommended tagging best practices https://d1.awsstatic.com/whitepapers/aws-tagging-best-practices.pdf[here].

  AWS resources that support tags do not have Tags
    Resource: aws_s3_bucket.example_destination | Checkov ID: CKV_AWS_CUSTOM_1

How to Fix

resource "aws_security_group" "sg" {
  name = "my-sg"
  ...
+ tags = {
+   Environment = "dev"
+   Owner = "apps-team"
+ }
}

Description

Many AWS resources support tags. Without tags, it is difficult to organize, manage and track resources.
Tags allow you to add metadata to a resource to help identify ownership, perform cost / billing analysis, and to enrich a resource with other valuable information, such as descriptions and environment names.

While there are many ways that tags can be used, we recommend you follow a tagging practice.
View AWS's recommended tagging best practices https://d1.awsstatic.com/whitepapers/aws-tagging-best-practices.pdf[here].

  S3 buckets do not have event notifications enabled
    Resource: aws_s3_bucket.example_destination | Checkov ID: CKV2_AWS_62

How to Fix

resource "aws_s3_bucket" "bucket" {
  bucket = "bucket"
}

resource "aws_sns_topic" "bucket_notifications" {
  name = "bucket-notifications"
}

resource "aws_s3_bucket_notification" "bucket_notification" {
  bucket = aws_s3_bucket.bucket.id

  topic {
    topic_arn     = aws_sns_topic.bucket_notifications.arn
    events        = ["s3:ObjectCreated:*"]
    filter_prefix = "logs/"
  }
}

Description

This policy detects if the S3 bucket event notifications are not enabled in AWS settings.

  test123456
    Resource: aws_s3_bucket.example_destination | Policy ID: 1178283620591238144_undefined_1701359593970

Description

  An S3 bucket must have a lifecycle configuration
    Resource: aws_s3_bucket.example_destination | Checkov ID: CKV2_AWS_61

How to Fix

resource "aws_s3_bucket" "bucket" {
  bucket = "bucket"
  acl    = "private”

  lifecycle_rule {
    id      = "expire"
    status  = "Enabled"
    prefix  = "logs/"
    transition {
      days          = 30
      storage_class = "STANDARD_IA"
    }
    expiration {
      days = 90
    }
  }
}

Description

This policy detects whether an S3 bucket in AWS has a lifecycle configuration or not. A lifecycle configuration on an S3 bucket helps to manage objects so they can be automatically transitioned to other storage classes or expire after a certain period. This is crucial for cost effective data management and storage optimization.

  S3 Bucket does not have public access blocks
    Resource: aws_s3_bucket.example_destination | Checkov ID: CKV2_AWS_6

How to Fix

resource "aws_s3_bucket" "bucket_good_1" {
  bucket = "bucket_good"
}


+ resource "aws_s3_bucket_public_access_block" "access_good_1" {
+   bucket = aws_s3_bucket.bucket_good_1.id
+ 
+   block_public_acls   = true
+   block_public_policy = true
+ }

Description

When you create an S3 bucket, it is good practice to set the additional resource aws_s3_bucket_public_access_block to ensure the bucket is never accidentally public.
We recommend you ensure S3 bucket has public access blocks.
If the public access block is not attached it defaults to False.

  S3 buckets are not encrypted with KMS
    Resource: aws_s3_bucket.example_destination | Checkov ID: CKV_AWS_145

Description

Encrypting your data and resources with KMS helps protect your data from unauthorized access or tampering.
By encrypting your data, you can ensure that only authorized users can access and decrypt the data, and that the data is protected while in storage or in transit.
Such action can help protect against external threats such as hackers or malware, as well as internal threats such as accidental or unauthorized access.

  AWS Access logging not enabled on S3 buckets
    Resource: aws_s3_bucket.example_destination | Checkov ID: CKV_AWS_18

Description

Access logging provides detailed audit logging for all objects and folders in an S3 bucket.

  AWS S3 Object Versioning is disabled
    Resource: aws_s3_bucket.example_destination | Checkov ID: CKV_AWS_21

How to Fix

+ resource "aws_s3_bucket_versioning" "example" {
+   bucket = aws_s3_bucket.example.id
+ 
+   versioning_configuration {
+     status = "Enabled"
+   }
+ }

Description

S3 versioning is a managed data backup and recovery service provided by AWS.
When enabled it allows users to retrieve and restore previous versions of their buckets.
S3 versioning can be used for data protection and retention scenarios such as recovering objects that have been accidentally/intentionally deleted or overwritten.