Secure encryption algorithm - Utilize Customer Controlled Keys (CMK)
import com.amazonaws.services.s3.AmazonS3ClientBuilder
import com.amazonaws.services.s3.model.ObjectMetadata
import com.amazonaws.services.s3.model.PutObjectRequest
val s3client = AmazonS3ClientBuilder.defaultClient()
val objectMetadata = new ObjectMetadata()
objectMetadata.setSSEAlgorithm(ObjectMetadata.AES_256_SERVER_SIDE_ENCRYPTION)
val putObjectRequest = new PutObjectRequest("bucketName", "key", new File("filePath"))
putObjectRequest.setMetadata(objectMetadata)
s3client.putObject(putObjectRequest)
The above code represents an example of using the AWS S3 client in a Play Framework application written in Scala. The code is written to upload a file to an S3 bucket with server-side encryption.
The vulnerability lies in the line where the Server-Side Encryption (SSE) algorithm is set. The code uses the AES_256_SERVER_SIDE_ENCRYPTION, which is a default encryption provided by AWS.
This is considered insecure because it does not fully utilize the AWS Key Management Service (KMS). The default encryption keys are managed by AWS and do not provide the same level of control and security as using Customer Managed Keys (CMK).
Using CMKs, you can create, own, and manage your cryptographic keys and control their use across all AWS services. This is important for organizations that have specific compliance requirements related to key management.
Therefore, the use of default encryption keys when more secure options are available is considered a vulnerability.
import com.amazonaws.services.s3.AmazonS3ClientBuilder
import com.amazonaws.services.s3.model.ObjectMetadata
import com.amazonaws.services.s3.model.PutObjectRequest
import com.amazonaws.services.s3.model.SSEAwsKeyManagementParams
// Create a KMS client
val kmsClient = AWSKMSClientBuilder.standard().build()
// Create a CMK
val createKeyRequest = new CreateKeyRequest()
val createKeyResult = kmsClient.createKey(createKeyRequest)
val cmkId = createKeyResult.getKeyMetadata().getKeyId()
// Create a custom S3 client configuration that includes the CMK
val s3client = AmazonS3ClientBuilder.standard()
.withRegion(Regions.DEFAULT_REGION)
.withCredentials(new AWSStaticCredentialsProvider(credentials))
.build()
val objectMetadata = new ObjectMetadata()
objectMetadata.setSSEAlgorithm(ObjectMetadata.AES_256_SERVER_SIDE_ENCRYPTION)
val putObjectRequest = new PutObjectRequest("bucketName", "key", new File("filePath"))
putObjectRequest.setMetadata(objectMetadata)
// Specify the CMK when setting the server-side encryption algorithm
val sseAwsKeyManagementParams = new SSEAwsKeyManagementParams(cmkId)
putObjectRequest.setSSEAwsKeyManagementParams(sseAwsKeyManagementParams)
s3client.putObject(putObjectRequest)
The updated code first creates a Key Management Service (KMS) client and then uses this client to create a Customer Managed Key (CMK). The CMK ID is then stored in the
cmkId variable.
Next, a custom S3 client configuration is created that includes the CMK. This is done by using the
AmazonS3ClientBuilder.standard() method instead of the
AmazonS3ClientBuilder.defaultClient() method. The region and credentials are set in the custom configuration.
The
ObjectMetadata and
PutObjectRequest are created as before, but now the
PutObjectRequest is updated to specify the CMK when setting the server-side encryption algorithm. This is done by creating a new
SSEAwsKeyManagementParams object with the CMK ID and setting this object in the
PutObjectRequest.
Finally, the
putObject method of the S3 client is called with the updated
PutObjectRequest. This ensures that the CMK is used for server-side encryption when the object is put in the S3 bucket.