rspec/rules/S6245/javascript/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

Server-side encryption is not used:

[source,javascript]
----
const s3 = require('aws-cdk-lib/aws-s3');

new s3.Bucket(this, 'id', {
    bucketName: 'default'
}); // Sensitive
----
Bucket encryption is disabled by default.

== Compliant Solution

Server-side encryption with Amazon S3-Managed Keys is used:

[source,javascript]
----
const s3 = require('aws-cdk-lib/aws-s3');

new s3.Bucket(this, 'id', {
    encryption: s3.BucketEncryption.KMS_MANAGED
});

# Alternatively with a KMS key managed by the user.

new s3.Bucket(this, 'id', {
    encryption: s3.BucketEncryption.KMS_MANAGED,
    encryptionKey: access_key
});
----

include::../see.adoc[]

* https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketEncryption.html[AWS CDK version 2] - BucketEncryption

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

* primary: Objects in the bucket are not encrypted. Make sure it is safe here.
* secondary: Propagated setting.

* primary: Omitting "{argument_name}" disables server-side encryption. Make sure it is safe here.

endif::env-github,rspecator-view[]