AVD-AWS-0088 Flagged on S3 Buckets with AES Encryption #9132

shxjing · 2025-07-03T11:28:52Z

shxjing
Jul 3, 2025

IDs

AVD-AWS-0088

Description

Hello,

I have a terraform snippet:

resource "aws_s3_bucket" "my_bucket" {
  for_each = var.my_bucket_names
  bucket   = each.value
}

Locally, im running the commands:

terragrunt plan -lock=false -out=plan
terragrunt show -json plan > plan.json
trivy config plan.json

We are getting flagged for AVD-AWS-0088, with trivy output as follows:

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:11374-11380
   via main.tf:11373-11381 (server_side_encryption_configuration)
    via main.tf:11338-11385 (aws_s3_bucket.my_bucket_123)
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
11338   resource "aws_s3_bucket" "my_bucket_123" {
.....   
11374 ┌ 	rule {
11375 │ 	apply_server_side_encryption_by_default = {
11376 │ 	kms_master_key_id = ""
11377 │ 	sse_algorithm = "AES256"
11378 │ }
11379 │ 	bucket_key_enabled = false
11380 └ }
.....   
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Our buckets currently are encrypted by default with server-side encryption (SSE-S3).

I think there is a previous issue created #6024, but the fix seems to only be for cloudformation. Looking at the vulnerability DB page here: https://avd.aquasec.com/misconfig/aws/s3/avd-aws-0088#Terraform, it seems like there are only examples with KMS keys. For this rule to pass, must we encrypt using a KMS key, or is this bugged? :o

A follow up question to this would be - what is the difference between this rule and AVD-AWS-0132, where we are supposed to be using a CMK KMS key?

Reproduction Steps

1. Run commands to plan, generate the plan as a JSON file, and run `trivy config plan.json`
2. Verify that trivy output flags the S3 bucket for AVD-AWS-0088.

Target

Git Repository

Scanner

Misconfiguration

Target OS

No response

Debug Output

2025-07-03T19:25:21+08:00       DEBUG   No plugins loaded
2025-07-03T19:25:21+08:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-07-03T19:25:21+08:00       DEBUG   Cache dir       dir="/Users/sam/Library/Caches/trivy"
2025-07-03T19:25:21+08:00       DEBUG   Cache dir       dir="/Users/sam/Library/Caches/trivy"
2025-07-03T19:25:21+08:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-07-03T19:25:21+08:00       INFO    [misconfig] Misconfiguration scanning is enabled
2025-07-03T19:25:21+08:00       DEBUG   [notification] Running version check
2025-07-03T19:25:21+08:00       DEBUG   [misconfig] Checks successfully loaded from disk
2025-07-03T19:25:22+08:00       DEBUG   [notification] Version check completed  latest_version="0.64.0"
2025-07-03T19:25:22+08:00       DEBUG   [rego] Overriding filesystem for checks
2025-07-03T19:25:22+08:00       DEBUG   [rego] Embedded libraries are loaded    count=17
2025-07-03T19:25:22+08:00       DEBUG   [rego] Embedded checks are loaded       count=519
2025-07-03T19:25:22+08:00       DEBUG   [rego] Checks from disk are loaded      count=536
2025-07-03T19:25:22+08:00       DEBUG   [rego] Overriding filesystem for data
2025-07-03T19:25:22+08:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-07-03T19:25:22+08:00       DEBUG   Initializing scan cache...      type="memory"
2025-07-03T19:25:22+08:00       DEBUG   [fs] Analyzing...       root="plan.json"
2025-07-03T19:25:22+08:00       DEBUG   [fs] Random cache key will be used      err="failed to open git repository: stat /Users/sam/Projects/my-repo/config/dev/account/plan.json/.git: not a directory"
2025-07-03T19:25:22+08:00       DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Terraform Plan JSON"
2025-07-03T19:25:22+08:00       DEBUG   [tfjson scanner] Scanning file  file_path="plan.json"
2025-07-03T19:25:22+08:00       DEBUG   [terraform scanner] Scanning directory  file_path="."
2025-07-03T19:25:22+08:00       DEBUG   [terraform parser] Setting project/module root  module="root" file_path="."
2025-07-03T19:25:22+08:00       DEBUG   [terraform parser] Parsing FS   module="root" file_path="."
2025-07-03T19:25:22+08:00       DEBUG   [terraform parser] Parsing      module="root" file_path="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   [terraform parser] Added file   module="root" file_path="main.tf"
2025-07-03T19:25:22+08:00       INFO    [terraform scanner] Scanning root module        file_path="."
2025-07-03T19:25:22+08:00       DEBUG   [terraform parser] Setting project/module root  module="root" file_path="."
2025-07-03T19:25:22+08:00       DEBUG   [terraform parser] Parsing FS   module="root" file_path="."
2025-07-03T19:25:22+08:00       DEBUG   [terraform parser] Parsing      module="root" file_path="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   [terraform parser] Added file   module="root" file_path="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   [terraform parser] Loading module       module="root" module="root"
2025-07-03T19:25:22+08:00       DEBUG   [terraform parser] Read block(s) and ignore(s)  module="root" blocks=789 ignores=0
2025-07-03T19:25:22+08:00       DEBUG   [terraform parser] Added input variables from tfvars    module="root" count=0
2025-07-03T19:25:22+08:00       DEBUG   [terraform parser] Working directory for module evaluation      module="root" file_path="/Users/sam/Projects/my-repo/config/dev/account"
2025-07-03T19:25:22+08:00       DEBUG   [terraform evaluator] Starting module evaluation...     module="root" path="."
2025-07-03T19:25:22+08:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=0
2025-07-03T19:25:22+08:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=1
2025-07-03T19:25:22+08:00       DEBUG   [terraform evaluator] Context unchanged module="root" iteration=1
2025-07-03T19:25:22+08:00       DEBUG   [terraform evaluator] Starting post-submodules evaluation...    module="root"
2025-07-03T19:25:22+08:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=0
2025-07-03T19:25:22+08:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=1
2025-07-03T19:25:22+08:00       DEBUG   [terraform evaluator] Context unchanged module="root" iteration=1
2025-07-03T19:25:22+08:00       DEBUG   [terraform evaluator] Module evaluation complete.       module="root"
2025-07-03T19:25:22+08:00       DEBUG   [terraform parser] Finished parsing module      module="root"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] Adapting modules...
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] Adapted module(s) into state data. count=1
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] Scan state data
2025-07-03T19:25:22+08:00       DEBUG   [rego] Scanning inputs  count=1
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] Finished applying checks
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] Applying ignores...
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:18507-18511"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:18507-18511"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:2242-2263"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:4411-4434"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:2410-2416"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:2548-2554"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:2856-2862"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:2903-2909"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:4487-4493"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:4842-4848"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:4905-4911"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:4954-4960"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:5017-5023"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:10280-10286"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:10338-10344"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:10408-10414"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:10466-10472"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:11374-11380"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:11437-11443"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:11486-11492"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:11549-11555"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:12690-12696"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:12861-12867"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:14780-14786"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:14987-14993"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:15270-15276"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:15365-15371"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:15460-15466"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:15526-15532"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:18464-18470"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:2647-2734"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:4620-4698"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:2370-2421"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:2498-2559"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:2822-2867"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:2869-2914"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:4450-4498"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:4806-4853"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:4855-4916"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:4918-4965"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:4967-5028"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:10235-10291"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:10293-10349"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:10351-10419"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:10421-10477"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:11338-11385"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:11387-11448"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:11450-11497"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:11499-11560"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:12638-12701"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:14759-14790"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:14966-14997"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:15235-15280"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:15330-15375"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:15425-15470"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:15491-15536"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:18442-18475"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:18507-18511"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:2647-2734"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:5346-5479"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:5481-5604"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:10941-11080"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:11082-11226"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:11800-11920"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:12024-12155"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:12494-12625"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:15083-15188"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:15634-15757"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:3191"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:14910"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching block attribute found  cause_range="main.tf:12972"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:2822-2867"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:2869-2914"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:4450-4498"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:4806-4853"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:4855-4916"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:4918-4965"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:4967-5028"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:10235-10291"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:10293-10349"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:10351-10419"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:10421-10477"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:11338-11385"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:11387-11448"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:11450-11497"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:11499-11560"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:12638-12701"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:14759-14790"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:14966-14997"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:15235-15280"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:15330-15375"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:15425-15470"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:15491-15536"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:18442-18475"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:18507-18511"
2025-07-03T19:25:22+08:00       DEBUG   [terraform executor] No matching Terraform block found  cause_range="main.tf:2467-2488"
2025-07-03T19:25:22+08:00       DEBUG   OS is not detected.
2025-07-03T19:25:22+08:00       INFO    Detected config files   num=2
2025-07-03T19:25:22+08:00       DEBUG   Scanned config file     file_path="."
2025-07-03T19:25:22+08:00       DEBUG   Scanned config file     file_path="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Found an ignore file    file_path=".trivyignore"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0094" target="."
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0096" target="."
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0010" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0010" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0011" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0011" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0011" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0011" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0011" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0011" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0011" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0011" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0011" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0011" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0017" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0066" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0066" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0086" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0087" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0089" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0089" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0089" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0089" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0089" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0089" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0089" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0089" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0089" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0089" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0089" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0089" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0089" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0089" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0089" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0089" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0089" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0089" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0089" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0089" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0089" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0089" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0089" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0090" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0091" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0093" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0095" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0132" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0132" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0132" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0132" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0132" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0132" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0132" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0132" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0132" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0132" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0132" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0132" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0132" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0132" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0132" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0132" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0132" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0132" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0132" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0132" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0132" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0132" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0132" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0132" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0132" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   Ignored id="AVD-AWS-0143" target="main.tf"
2025-07-03T19:25:22+08:00       DEBUG   [vex] VEX filtering is disabled

Report Summary

┌─────────┬───────────────┬───────────────────┐
│ Target  │     Type      │ Misconfigurations │
├─────────┼───────────────┼───────────────────┤
│ .       │ terraformplan │         0         │
├─────────┼───────────────┼───────────────────┤
│ main.tf │ terraformplan │        26         │
└─────────┴───────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


main.tf (terraformplan)

Tests: 26 (SUCCESSES: 0, FAILURES: 26)
Failures: 26 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 26, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:2410-2416
   via main.tf:2409-2417 (server_side_encryption_configuration)
    via main.tf:2370-2421 (aws_s3_bucket.my_bucket_123)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
2370   resource "aws_s3_bucket" "my_bucket_123" {
....   
2410 ┌  rule {
2411 │  apply_server_side_encryption_by_default = {
2412 │  kms_master_key_id = ""
2413 │  sse_algorithm = "AES256"
2414 │ }
2415 │  bucket_key_enabled = false
2416 └ }
....   
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Version

Version: 0.64.0

Checklist

Read the documentation regarding wrong detection
Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

nikpivkin · 2025-07-03T17:17:23Z

nikpivkin
Jul 3, 2025
Maintainer

Hi @shxjing !

When scanning the following hcl configuration, the AVD-AWS-0088 check does not trigger, so the problem is apparently related to Plan. According to the following snippet apply_server_side_encryption_by_default is recognised as an object, which is a conversion error as it is a block.

11375 │ 	apply_server_side_encryption_by_default = {
11376 │ 	kms_master_key_id = ""
11377 │ 	sse_algorithm = "AES256"
11378 │ }

what is the difference between this rule and AVD-AWS-0132, where we are supposed to be using a CMK KMS key?

AVD-AWS-0008 checks that SSE is enabled for buckets.
AVD-AWS-0132 checks that Customer Managed Key (CMK) is applied for SSE.

We need to revise AVD-AWS-0008 as AWS now applies SSE-S3 by default.

@simar7 The Terraform plan alone does not provide enough information to distinguish whether a field is a nested block or a regular attribute, as both appear similarly in the JSON output.

I suggest introducing an optional flag, for example terraform-providers-schema, which allows passing in the provider schema. This schema can be generated using the following command:

terraform providers schema -json > providers-schema.json

Each resource in the plan contains a provider_name field (e.g., registry.terraform.io/hashicorp/aws), which can be used to look up the appropriate section of the schema. Using this, we can reliably determine whether a field is a nested block or a simple attribute.

❯ cat providers-schema.json | jq '.. | objects | select(has("apply_server_side_encryption_by_default")) | .apply_server_side_encryption_by_default'

{
  "nesting_mode": "list",
  "block": {
    "attributes": {
      "kms_master_key_id": {
        "type": "string",
        "description_kind": "plain",
        "optional": true
      },
      "sse_algorithm": {
        "type": "string",
        "description_kind": "plain",
        "required": true
      }
    },
    "description_kind": "plain"
  },
  "min_items": 1,
  "max_items": 1
}

Additionally, having the provider schema is useful when analyzing Terraform configurations in JSON format, enabling precise interpretation of the resource structure.

8 replies

nikpivkin Jul 4, 2025
Maintainer

Created an issue to track the revision of AVD-AWS-0088 #9141

nikpivkin Jul 4, 2025
Maintainer

Does the terraform Go library offer support for this?

In any case, to get the schematic you would have to run the plugin and use os/exec, which is not allowed for Trivy, right? By the way, I found this package https://github.com/minamijoyo/tfschema which allows to load schemas. I think in this case there is only 1 option left - to receive schema via flag.

simar7 Jul 4, 2025
Maintainer

In any case, to get the schematic you would have to run the plugin and use os/exec, which is not allowed for Trivy, right?

I was hoping that maybe the terraform providers schema functionality was exported so that we could call it ourselves on the fly.

@shxjing - is there a reason why you scan plan files instead of the actual terraform IaC? Just looking to understand the use case better.

shxjing Jul 5, 2025
Author

hey @simar7 ,

My team is looking into using trivy to scan for misconfigurations for new PRs raised against our internal Terraform repositories, hence we're relying on plan files to see if the new changes within a PR introduce any sort of misconfiguration. The idea is that we may use the results from trivy to potentially block PR merges / ask for changes on PRs containing misconfigurations, improving the overall hygiene of our repository.

Do let me know if there is a better way to approach this :-)

shxjing Aug 5, 2025
Author

hello @simar7 @nikpivkin , are there any updates on this issue? :-)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

AVD-AWS-0088 Flagged on S3 Buckets with AES Encryption #9132

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 8 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

AVD-AWS-0088 Flagged on S3 Buckets with AES Encryption #9132

Uh oh!

shxjing Jul 3, 2025

IDs

Description

Reproduction Steps

Target

Scanner

Target OS

Debug Output

Version

Checklist

Replies: 1 comment · 8 replies

Uh oh!

nikpivkin Jul 3, 2025 Maintainer

Uh oh!

Uh oh!

nikpivkin Jul 4, 2025 Maintainer

Uh oh!

nikpivkin Jul 4, 2025 Maintainer

Uh oh!

simar7 Jul 4, 2025 Maintainer

Uh oh!

shxjing Jul 5, 2025 Author

Uh oh!

shxjing Aug 5, 2025 Author

shxjing
Jul 3, 2025

Replies: 1 comment 8 replies

nikpivkin
Jul 3, 2025
Maintainer

nikpivkin Jul 4, 2025
Maintainer

nikpivkin Jul 4, 2025
Maintainer

simar7 Jul 4, 2025
Maintainer

shxjing Jul 5, 2025
Author

shxjing Aug 5, 2025
Author