diff --git a/pkg/iac/adapters/terraform/aws/s3/adapt_test.go b/pkg/iac/adapters/terraform/aws/s3/adapt_test.go index 1d347d3520fe..84f1055dd724 100644 --- a/pkg/iac/adapters/terraform/aws/s3/adapt_test.go +++ b/pkg/iac/adapters/terraform/aws/s3/adapt_test.go @@ -36,7 +36,7 @@ resource "aws_s3_bucket_public_access_block" "example_access_block"{ hasPublicAccess: true, }, { - desc: "public access block is found when using the bucket name as the lookup", + desc: "public access block is found when using the bucket id as the lookup", source: ` resource "aws_s3_bucket" "example" { bucket = "bucketname" @@ -254,6 +254,32 @@ func Test_Adapt(t *testing.T) { }, }, }, + { + name: "non-valid SSE algorithm", + terraform: ` +resource "aws_s3_bucket" "this" { + bucket = "test" +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "this" { + bucket = aws_s3_bucket.this.id + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "" + } + } +}`, + expected: s3.S3{ + Buckets: []s3.Bucket{ + { + Name: iacTypes.String("test", iacTypes.NewTestMetadata()), + Encryption: s3.Encryption{ + Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), + }, + }, + }, + }, + }, } for _, test := range tests { diff --git a/pkg/iac/adapters/terraform/aws/s3/bucket.go b/pkg/iac/adapters/terraform/aws/s3/bucket.go index ae5b2ddb2f4d..5ecf7e9ba21b 100644 --- a/pkg/iac/adapters/terraform/aws/s3/bucket.go +++ b/pkg/iac/adapters/terraform/aws/s3/bucket.go @@ -1,6 +1,10 @@ package s3 import ( + "slices" + + s3types "github.com/aws/aws-sdk-go-v2/service/s3/types" + "github.com/aquasecurity/trivy/pkg/iac/providers/aws/s3" "github.com/aquasecurity/trivy/pkg/iac/terraform" iacTypes "github.com/aquasecurity/trivy/pkg/iac/types" @@ -194,11 +198,13 @@ func isEncrypted(sseConfgihuration *terraform.Block) iacTypes.BoolValue { sseConfgihuration, "rule.apply_server_side_encryption_by_default.sse_algorithm", func(attr *terraform.Attribute, parent *terraform.Block) iacTypes.BoolValue { - if attr.IsNil() { + if attr.IsNil() || !attr.IsString() { return iacTypes.BoolDefault(false, parent.GetMetadata()) } + algoVal := attr.Value().AsString() + isValidAlgo := slices.Contains(s3types.ServerSideEncryption("").Values(), s3types.ServerSideEncryption(algoVal)) return iacTypes.Bool( - true, + isValidAlgo, attr.GetMetadata(), ) },