S3 bucket without server-side encryption
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
An aws_s3_bucket has no inline server_side_encryption_configuration and no companion encryption resource, so objects may be stored unencrypted at rest. This is a structural heuristic: it is suppressed when any aws_s3_bucket_server_side_encryption_configuration resource is present.
Why it matters
Without server-side encryption, objects are stored on disk unencrypted, so anyone who reaches the underlying storage or a backup copy can read them in the clear. Encryption at rest is a baseline control and is expected by most compliance frameworks. This check is a heuristic: it looks for an inline encryption block or a companion encryption resource and may miss encryption set up in an unusual way.
How to fix it
Add an aws_s3_bucket_server_side_encryption_configuration resource for the bucket (or an inline server_side_encryption_configuration block) that applies AES256 or aws:kms. For sensitive data prefer aws:kms with a customer-managed key so access is auditable and revocable. Apply the same default to every bucket in the project.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo