CKV_AWS_145: Move from aws_s3_bucket to aws_s3_bucket_server_side_encryption_configuration

[Malcolm-GetAHead]

Describe the issue
It would be nice if the CKV_AWS_145 check could be moved from the aws_s3_bucket resource to the aws_s3_bucket_server_side_encryption_configuration resource. An additional check to see if the aws_s3_bucket resource has a aws_s3_bucket_server_side_encryption_configuration attached to it.

Attaching the check directly to aws_s3_bucket_server_side_encryption_configuration makes more sense and would allow ignore rules to be more specific.

Examples

variable "cloudfront_bucket" {
  type = bool
  description = "Is this a cloudfront bucket"
  default = false
}
variable "kms_arn" {
  type = string
  description = "KMS ARN for bucket encryption"
  default = null
}
resource "aws_s3_bucket" "this" {
  bucket        = "my-bucket"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
  count = var.cloudfront_bucket == false ? 1 : 0

  bucket = aws_s3_bucket.this.id

  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = var.kms_arn
      sse_algorithm     = "aws:kms"
    }
    bucket_key_enabled = true
  }
}

resource "aws_s3_bucket_server_side_encryption_configuration" "cloudfront" {
  count = var.cloudfront_bucket == true ? 1 : 0

  bucket = aws_s3_bucket.this.id

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
    bucket_key_enabled = true
  }
}

Version (please complete the following information):

• Checkov Version 3.2.370

Additional context
Add any other context about the problem here.