保護DataHogo
Security Encyclopedia/Cloud Provider Security
mediumCWE-311OWASP A02:2021

Unencrypted Cloud Storage

Your S3 or GCS bucket doesn't have server-side encryption enabled, meaning data is stored in plaintext on AWS/Google's infrastructure.

How It Works

Without server-side encryption (SSE), your files are stored as-is on shared cloud infrastructure. While AWS physically secures the hardware, SSE provides an additional layer: even if someone gained unauthorized access at the storage layer (AWS employee, insider threat, hardware theft), the data would be unreadable without the encryption key. Many compliance frameworks (PCI-DSS, HIPAA, SOC 2) require encryption at rest.

Vulnerable Code
// BAD: S3 bucket without server-side encryption (Terraform)
resource "aws_s3_bucket" "data" {
  bucket = "my-app-data"
  // No server_side_encryption_configuration block
  // Data is stored in plaintext on AWS infrastructure
}
Secure Code
// GOOD: enable AES-256 server-side encryption by default
resource "aws_s3_bucket_server_side_encryption_configuration" "data" {
  bucket = aws_s3_bucket.data.id
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"  // or "aws:kms" for KMS-managed keys
    }
    bucket_key_enabled = true  // reduces KMS costs
  }
}

Real-World Example

AWS now enables SSE-S3 (AES-256) by default for all new S3 buckets since January 2023. However, buckets created before this date or with custom Terraform configs may still lack encryption. Compliance audits commonly flag unencrypted S3 buckets — it's a quick win to fix.

How to Prevent It

  • Enable server-side encryption on all S3 buckets — AWS S3 enables SSE-S3 by default now, but verify older buckets
  • For sensitive data (PII, health records), use SSE-KMS with customer-managed keys for audit logging
  • Enable 'Deny if not encrypted' bucket policies to reject unencrypted uploads
  • Use AWS Config rule s3-bucket-server-side-encryption-enabled to audit compliance
  • Ensure encryption is also applied to S3-backed services like CloudFront logs, ELB access logs, and CloudTrail

Affected Technologies

Node.jsPython

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

S3 Bucket Public Access

critical

Your S3 bucket is publicly readable due to a public ACL, disabled Block Public Access settings, or a wildcard bucket policy — anyone on the internet can list and download your files.

CWE-284OWASP A05:2021

Cloud Metadata SSRF

critical

Your app fetches user-supplied URLs without blocking cloud metadata endpoints like 169.254.169.254, letting attackers steal your cloud credentials via SSRF.

CWE-918OWASP A10:2021

AWS Credentials Hardcoded

critical

AWS access keys (starting with AKIA) or secret access keys are hardcoded in your source code, giving anyone who reads the code full access to your AWS account.

CWE-798OWASP A02:2021

IAM Overly Permissive Policy

high

Your IAM policy uses Action: '*' or Resource: '*', granting far more permissions than needed and turning any credential leak into a full account takeover.

CWE-269OWASP A01:2021