Will It Vibe logoWill It Vibe?
TF-003Medium severity-8 points

S3 bucket without server-side encryption

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

An aws_s3_bucket has no inline server_side_encryption_configuration and no companion encryption resource, so objects may be stored unencrypted at rest. This is a structural heuristic: it is suppressed when any aws_s3_bucket_server_side_encryption_configuration resource is present.

Why it matters

Without server-side encryption, objects are stored on disk unencrypted, so anyone who reaches the underlying storage or a backup copy can read them in the clear. Encryption at rest is a baseline control and is expected by most compliance frameworks. This check is a heuristic: it looks for an inline encryption block or a companion encryption resource and may miss encryption set up in an unusual way.

How to fix it

Add an aws_s3_bucket_server_side_encryption_configuration resource for the bucket (or an inline server_side_encryption_configuration block) that applies AES256 or aws:kms. For sensitive data prefer aws:kms with a customer-managed key so access is auditable and revocable. Apply the same default to every bucket in the project.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks