rspec/rules/S6245/terraform/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

Server-side encryption is not used:

[source,terraform]
----
resource "aws_s3_bucket" "example" { # Sensitive
  bucket = "example"
}
----

== Compliant Solution

Server-side encryption with Amazon S3-managed keys is used for AWS provider version 3 or below:

[source,terraform]
----
resource "aws_s3_bucket" "example" {
  bucket = "example"

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }
}
----

Server-side encryption with Amazon S3-managed keys is used for AWS provider version 4 or above:

[source,terraform]
----
resource "aws_s3_bucket" "example" {
  bucket = "example"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
  bucket = aws_s3_bucket.example.bucket

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

endif::env-github,rspecator-view[]