AWS Config Rule โ S3 Encryption Enforcement
๐ฆ Overviewโ
This Terraform module deploys an AWS Config Managed Rule that ensures all S3 buckets in the account have encryption-at-rest enabled.
It uses the prebuilt AWS rule S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED for continuous compliance monitoring.
โ Key Featuresโ
- Enforces server-side encryption for all S3 buckets
- Uses AWS-managed rule for trusted compliance validation
- Supports tagging for environment-level visibility
- Ideal for baseline data security in regulated cloud environments
๐ผ Use Casesโ
- Enforce encryption policies in compliance-sensitive environments
- Automate security checks across newly created S3 buckets
- Provide audit evidence of encryption posture
๐ฅ Input Variablesโ
| Name | Type | Description |
|---|---|---|
| region | string | AWS region to deploy the config rule |
| config_rule_name | string | Name for the AWS Config rule |
| environment | string | Environment tag for resource tracking (e.g., prod, dev) |
๐ค Outputsโ
| Name | Description |
|---|---|
| config_rule_name | The name of the deployed AWS Config rule |
| config_rule_arn | The ARN of the AWS Config rule |
๐ Deployment Readinessโ
- โ Compatible with Terraform 1.0+
- โ Requires AWS Provider 5.x+
- ๐ Requires a Config Recorder and Delivery Channel already deployed
- ๐ IAM permissions for AWS Config and tagging
๐ ๏ธ Example Usageโ
module "config_rule_s3_encryption_deployment" {
source = "git::ssh://git@github.com/archiphire/aws-level-1-modules.git//governance/config-rule-s3-encryption?ref=v1.0.0"
region = "us-east-1"
config_rule_name = "s3-bucket-encryption-check"
environment = "prod"
}
terraform init
terraform plan
terraform apply
or
tofu init
tofu plan
tofu apply
๐งน Cleanup Optionsโ
Terraform Destroy:
terraform destroy
or
tofu destroy
Manual Deletion (Recommended for Production):
aws configservice delete-config-rule --config-rule-name s3-bucket-encryption-check
๐ก๏ธ Notesโ
This is a Level 1 governance module that targets a specific encryption compliance control. For comprehensive governance, consider deploying additional AWS Config rules for IAM, networking, and compute resources.
๐ Deployment Package Noticeโ
This module is part of the Level 1 AWS License Tier. To access the full deployment package and source code, subscribe to Archiphire.