Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question]: Remove S3 KMS check, since its enabed by default, and cant be disabled #3400

Open
Fennerr opened this issue Feb 14, 2024 · 2 comments
Open

[Question]: Remove S3 KMS check, since its enabed by default, and cant be disabled #3400

Fennerr opened this issue Feb 14, 2024 · 2 comments
Assignees
@sergargar
Labels
bug provider/aws Issues/PRs related with the AWS provider severity/low Bug won't result in any noticeable breakdown of the execution.

Comments

@Fennerr
Copy link
Contributor

Fennerr commented Feb 14, 2024

Steps to Reproduce

Here is the check: https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/aws/services/s3/s3_bucket_kms_encryption/s3_bucket_kms_encryption.py

Here is the documentation: https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-encryption-faq.html

Here is the relevant part of the documentation:

Can I disable encryption for the new objects being written to my bucket?

No. SSE-S3 is the new base level of encryption that's applied to all the new objects being uploaded to your bucket. You can no longer disable encryption for new object uploads.

Expected behavior

Remove the check

Actual Result with Screenshots or Logs

None

How did you install Prowler?

Cloning the repository from github.com (git clone)

Environment Resource

None

OS used

None

Prowler version

None

Pip version

None

Context

No response
@Fennerr Fennerr added bug status/needs-triage Issue pending triage labels Feb 14, 2024
@Fennerr
Copy link
Contributor Author

Fennerr commented Feb 14, 2024

I actually think its this check that needs to be removed: https://github.com/prowler-cloud/prowler/blob/master/prowler/providers/aws/services/s3/s3_bucket_default_encryption/s3_bucket_default_encryption.py

The KMS one might still apply, as I think it is checking that you use a customer-managed KMS key, but the status_extended and metadata info seem to only mention using some form of encryption - not that it is a customer-managed key in particular.

@sergargar
Copy link
Member

Hi @Fennerr, you are right. We will deprecate s3_bucket_default_encryption check soon. Thanks for letting us know!

@sergargar sergargar self-assigned this Feb 27, 2024
@sergargar sergargar added severity/low Bug won't result in any noticeable breakdown of the execution. provider/aws Issues/PRs related with the AWS provider and removed status/needs-triage Issue pending triage labels Feb 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sergargar sergargar

Labels
bug provider/aws Issues/PRs related with the AWS provider severity/low Bug won't result in any noticeable breakdown of the execution.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sergargar @Fennerr