Missing Encryption

Missing Encryption

Encryption misconfigurations leave data vulnerable to unauthorized access. While cloud providers offer encryption capabilities for nearly all services, IaC templates must explicitly enable them. Missing encryption at rest exposes data if storage media is compromised. Missing encryption in transit allows network eavesdropping. Default encryption settings often provide insufficient protection for sensitive data.

Key management misconfigurations compound encryption vulnerabilities. Using default service keys provides minimal protection against insider threats. Overly permissive key policies allow unauthorized decryption. Missing key rotation increases the impact of key compromise. IaC templates often overlook these key management details.

# Common ENCRYPTION vulnerabilities and fixes

# VULNERABLE: S3 bucket without encryption
resource "aws_s3_bucket" "vulnerable_data" {
  bucket = "sensitive-data-bucket"
  # No encryption configuration - uses no encryption by default
}

# VULNERABLE: RDS without encryption
resource "aws_db_instance" "vulnerable_db" {
  identifier     = "app-database"
  engine         = "mysql"
  instance_class = "db.t3.micro"
  
  # storage_encrypted defaults to false
  # No KMS key specified
}

# VULNERABLE: EBS volume without encryption
resource "aws_ebs_volume" "vulnerable_volume" {
  availability_zone = "us-east-1a"
  size              = 40
  
  # encrypted defaults to false
}

# SECURE: S3 bucket with proper encryption
resource "aws_s3_bucket" "secure_data" {
  bucket = "sensitive-data-bucket"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "secure_data" {
  bucket = aws_s3_bucket.secure_data.id

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm     = "aws:kms"
      kms_master_key_id = aws_kms_key.data_key.arn
    }
    bucket_key_enabled = true  # Reduces KMS API calls
  }
}

# SECURE: Customer-managed KMS key with rotation
resource "aws_kms_key" "data_key" {
  description             = "KMS key for data encryption"
  deletion_window_in_days = 30
  enable_key_rotation     = true
  
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "Enable IAM User Permissions"
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
        }
        Action   = "kms:*"
        Resource = "*"
      },
      {
        Sid    = "Allow service usage"
        Effect = "Allow"
        Principal = {
          Service = [
            "s3.amazonaws.com",
            "rds.amazonaws.com"
          ]
        }
        Action = [
          "kms:Decrypt",
          "kms:GenerateDataKey"
        ]
        Resource = "*"
      }
    ]
  })
}

# SECURE: RDS with encryption
resource "aws_db_instance" "secure_db" {
  identifier     = "app-database"
  engine         = "mysql"
  instance_class = "db.t3.micro"
  
  storage_encrypted = true
  kms_key_id       = aws_kms_key.data_key.arn
  
  # Also encrypt backups
  backup_retention_period = 7
  # Backups automatically encrypted with same key
}

# SECURE: Encrypted EBS volume
resource "aws_ebs_volume" "secure_volume" {
  availability_zone = "us-east-1a"
  size              = 40
  encrypted         = true
  kms_key_id       = aws_kms_key.data_key.arn
  
  # Encrypt snapshots too
  tags = {
    Snapshot = "encrypted"
  }
}