S3 bucket server side encryption should be enabled¶

Description¶

Enabling server-side encryption (SSE) on S3 buckets at the object level protects data at rest and helps prevent the breach of sensitive information assets. Objects can be encrypted with S3-Managed Keys (SSE-S3), KMS-Managed Keys (SSE-KMS), or Customer-Provided Keys (SSE-C).

Console Remediation Steps¶

Repeat these steps for all impacted S3 buckets.
Navigate to S3.
Select the S3 bucket.
Select the Properties tab.
Select Default Encryption.
Select either AES-256 or AWS-KMS encryption and click Save.

CLI Remediation Steps¶

Enable AES Encyrption on an S3 Bucket:
- aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}''
Enable KMS Encryption on an S3 Bucket:
- aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms","KMSMasterKeyID":"<key id>"}}]}''

Fugue

S3 bucket server side encryption should be enabled¶

Description¶

Console Remediation Steps¶

CLI Remediation Steps¶

Documentation Links¶