S3 bucket server-side encryption should be enabled

Description

Enabling server-side encryption (SSE) on S3 buckets at the object level protects data at rest and helps prevent the breach of sensitive information assets. Objects can be encrypted with S3-Managed Keys (SSE-S3), KMS-Managed Keys (SSE-KMS), or Customer-Provided Keys (SSE-C).

Remediation Steps

AWS Console

  • Repeat these steps for all impacted S3 buckets.

    • Navigate to S3.

    • Select the S3 bucket.

    • Select the Properties tab.

    • Select Default Encryption.

    • Select either AES-256 or AWS-KMS encryption and click Save.

AWS CLI

  • Enable AES Encryption on an S3 Bucket:

    • aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}'

  • Enable KMS Encryption on an S3 Bucket:

    • aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms","KMSMasterKeyID":"<key id>"}}]}'

Terraform

  • Ensure that the aws_s3_bucket has a server_side_encryption_configuration block with a rule defined.

Example Configuration

resource "aws_kms_key" "mykey" {
  # other required fields here
}

resource "aws_s3_bucket" "bucket" {
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "${aws_kms_key.mykey.arn}"
        sse_algorithm     = "aws:kms"
      }
    }
  }
  # other required fields here
}