Skip to content

Commit abd62ae

Browse files
nikpivkinnikpivkin
authored
fix(terraform): сhecking SSE encryption algorithm validity (aquasecurity#6341)
1 parent 7c409fd commit abd62ae

File tree

2 files changed

+36
-3
lines changed

2 files changed

+36
-3
lines changed

pkg/iac/adapters/terraform/aws/s3/adapt_test.go

Lines changed: 28 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ resource "aws_s3_bucket_public_access_block" "example_access_block"{
3636
hasPublicAccess: true,
3737
},
3838
{
39-
desc: "public access block is found when using the bucket name as the lookup",
39+
desc: "public access block is found when using the bucket id as the lookup",
4040
source: `
4141
resource "aws_s3_bucket" "example" {
4242
bucket = "bucketname"
@@ -254,6 +254,33 @@ func Test_Adapt(t *testing.T) {
254254
},
255255
},
256256
},
257+
{
258+
name: "non-valid SSE algorithm",
259+
terraform: `
260+
resource "aws_s3_bucket" "this" {
261+
bucket = "test"
262+
}
263+
264+
resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
265+
bucket = aws_s3_bucket.this.id
266+
rule {
267+
apply_server_side_encryption_by_default {
268+
sse_algorithm = ""
269+
}
270+
}
271+
}`,
272+
expected: s3.S3{
273+
Buckets: []s3.Bucket{
274+
{
275+
Name: iacTypes.String("test", iacTypes.NewTestMetadata()),
276+
Encryption: s3.Encryption{
277+
Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
278+
},
279+
ACL: iacTypes.String("private", iacTypes.NewTestMetadata()),
280+
},
281+
},
282+
},
283+
},
257284
}
258285

259286
for _, test := range tests {

pkg/iac/adapters/terraform/aws/s3/bucket.go

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,10 @@
11
package s3
22

33
import (
4+
"slices"
5+
6+
s3types "github.com/aws/aws-sdk-go-v2/service/s3/types"
7+
48
"github.com/aquasecurity/trivy/pkg/iac/providers/aws/s3"
59
"github.com/aquasecurity/trivy/pkg/iac/terraform"
610
iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
@@ -194,11 +198,13 @@ func isEncrypted(sseConfgihuration *terraform.Block) iacTypes.BoolValue {
194198
sseConfgihuration,
195199
"rule.apply_server_side_encryption_by_default.sse_algorithm",
196200
func(attr *terraform.Attribute, parent *terraform.Block) iacTypes.BoolValue {
197-
if attr.IsNil() {
201+
if attr.IsNil() || !attr.IsString() {
198202
return iacTypes.BoolDefault(false, parent.GetMetadata())
199203
}
204+
algoVal := attr.Value().AsString()
205+
isValidAlgo := slices.Contains(s3types.ServerSideEncryption("").Values(), s3types.ServerSideEncryption(algoVal))
200206
return iacTypes.Bool(
201-
true,
207+
isValidAlgo,
202208
attr.GetMetadata(),
203209
)
204210
},

0 commit comments

Comments
 (0)