S3 Encryption and Public Access Block Required

This rule applies to files matching the patterns above.

# S3 Encryption and Public Access Block Required

## Rule
Every S3 bucket MUST have: (1) server-side encryption enabled, (2) public access block on all four settings, (3) versioning enabled for any bucket storing important data.

## Required Configuration
```hcl
resource "aws_s3_bucket" "example" {
  bucket = "${var.project}-${var.environment}-data"
}

# 1. Block ALL public access
resource "aws_s3_bucket_public_access_block" "example" {
  bucket                  = aws_s3_bucket.example.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

# 2. Enable encryption
resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
  bucket = aws_s3_bucket.example.id
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "aws:kms"
    }
    bucket_key_enabled = true
  }
}

# 3. Enable versioning
resource "aws_s3_bucket_versioning" "example" {
  bucket = aws_s3_bucket.example.id
  versioning_configuration {
    status = "Enabled"
  }
}
```

## Good Configuration
```bash
# Verify bucket configuration
aws s3api get-public-access-block --bucket my-bucket
aws s3api get-bucket-encryption --bucket my-bucket
aws s3api get-bucket-versioning --bucket my-bucket
```

## Bad Configuration
```hcl
# BAD: No encryption, no public access block, no versioning
resource "aws_s3_bucket" "data" {
  bucket = "my-data-bucket"
}
# This bucket is a data breach waiting to happen
```

## Enforcement
- AWS Config rules: s3-bucket-server-side-encryption-enabled, s3-bucket-public-read-prohibited
- Account-level S3 Block Public Access (Settings > Block Public Access)
- SCP to deny s3:PutBucketPolicy without encryption condition
- Terraform CI with tfsec or checkov scanning