Support bucket_key_enabled to default to true #284
Description
Describe the Feature
https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html
Amazon S3 Bucket Keys reduce the cost of Amazon S3 server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS). Using a bucket-level key for SSE-KMS can reduce AWS KMS request costs by up to 99 percent by decreasing the request traffic from Amazon S3 to AWS KMS. With a few clicks in the AWS Management Console, and without any changes to your client applications, you can configure your bucket to use an S3 Bucket Key for SSE-KMS encryption on new objects.
Is there any reason why this should default to false instead of true? I know the feature was added 5 years ago so it might have been just a safety thing at the time. I think now this is seen as a net-positive feature and should be enabled by default with the option to opt-out.
terraform-aws-s3-bucket/variables.tf
Lines 451 to 453 in a3d07bc
terraform-aws-s3-bucket/variables.tf
Lines 68 to 70 in a3d07bc
Expected Behavior
Enable bucket key by default
Use Case
Reducing costs
Describe Ideal Solution
See above
Alternatives Considered
No response
Additional Context
$ trivy config components/terraform/s3/ --tf-vars components/terraform/s3/ue1-dev.terraform.tfvars.json --exit-code 1 --severity CRITICAL,HIGH --skip-version-check
2026-02-12T15:49:56-06:00 INFO [misconfig] Misconfiguration scanning is enabled
2026-02-12T15:49:57-06:00 INFO [terraform scanner] Scanning root module file_path="."
2026-02-12T15:49:57-06:00 INFO Detected config files num=2
Report Summary
┌───────────────────────────────────────────────────────────────┬───────────┬───────────────────┐
│ Target │ Type │ Misconfigurations │
├───────────────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ . │ terraform │ 0 │
├───────────────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudposse/s3-bucket/aws/.terraform/modules/s3_bucket/main.tf │ terraform │ 1 │
└───────────────────────────────────────────────────────────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
cloudposse/s3-bucket/aws/.terraform/modules/s3_bucket/main.tf (terraform)
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)
AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
cloudposse/s3-bucket/aws/.terraform/modules/s3_bucket/main.tf:80-94
via main.tf:17-51 (module.s3_bucket)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
80 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
81 │ count = local.enabled ? 1 : 0
82 │
83 │ bucket = local.bucket_id
84 │ expected_bucket_owner = var.expected_bucket_owner
85 │
86 │ rule {
87 │ bucket_key_enabled = var.bucket_key_enabled
88 └