include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

Server-side encryption is not used:

[source,python]
----
bucket = s3.Bucket(self,"bucket",
    encryption=s3.BucketEncryption.UNENCRYPTED       # Sensitive
)
----
The default value of `encryption` is `KMS` if `encryptionKey` is set. Otherwise, if both parameters are absent the bucket is unencrypted.

== Compliant Solution

Server-side encryption with Amazon S3-Managed Keys is used:

[source,python]
----
bucket = s3.Bucket(self,"bucket",
    encryption=s3.BucketEncryption.S3_MANAGED
)

# Alternatively with a KMS key managed by the user.

bucket = s3.Bucket(self,"bucket",
    encryptionKey=access_key
)
----

include::../see.adoc[]

* https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketEncryption.html[AWS CDK version 2] - BucketEncryption

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

* primary: Objects in the bucket are not encrypted. Make sure it is safe here.
* secondary: Propagate setting.

* primary: Omitting "{argument_name}" disables server-side encryption. Make sure it is safe here.

endif::env-github,rspecator-view[]