/reflex-aws-s3-bucket-not-encrypted

Reflex rule that detects and remediates an S3 bucket with no SSE.

Primary LanguageHCLMozilla Public License 2.0MPL-2.0

reflex-aws-s3-bucket-not-encrypted

A Reflex rule for enforcing AES256 bucket encryption in S3 buckets.

To learn more about S3 Bucket encryption, see the AWS Documentation.

Getting Started

To get started using Reflex, check out the Reflex Documentation.

Usage

To use this rule either add it to your reflex.yaml configuration file:

rules:
  aws:
    - s3-bucket-not-encrypted:
        configuration:
          mode: remediate
        version: latest

or add it directly to your Terraform:

module "s3-bucket-not-encrypted" {
  source            = "git::https://github.com/reflexivesecurity/reflex-aws-s3-bucket-not-encrypted.git?ref=latest"
  sns_topic_arn     = module.central-sns-topic.arn
  reflex_kms_key_id = module.reflex-kms-key.key_id
  mode              = "remediate"
}

Note: The sns_topic_arn and reflex_kms_key_id example values shown here assume you generated resources with reflex build. If you are using the Terraform on its own you need to provide your own valid values.

Configuration

This rule has the following configuration options:

mode

Sets the rule to operate in detect or remediate mode.

Required: No

Type: string

Possible values: detect | remediate

Default: detect

Contributing

If you are interested in contributing, please review our contribution guide.

License

This Reflex rule is made available under the MPL 2.0 license. For more information view the LICENSE.