S3 bucket server-side encryption should be enabled¶
Description¶
Enabling server-side encryption (SSE) on S3 buckets at the object level protects data at rest and helps prevent the breach of sensitive information assets. Objects can be encrypted with S3 Managed Keys (SSE-S3), KMS Managed Keys (SSE-KMS), or Customer Provided Keys (SSE-C).
Remediation Steps¶
AWS Console¶
Repeat these steps for all impacted S3 buckets.
Navigate to S3.
Select the S3 bucket.
Select the Properties tab.
Select Default Encryption.
Select either AES-256 or AWS-KMS encryption and click Save.
AWS CLI¶
Enable AES Encryption on an S3 Bucket:
aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}'
Enable KMS Encryption on an S3 Bucket:
aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms","KMSMasterKeyID":"<key id>"}}]}'
CloudFormation¶
JSON¶
Ensure that AWS::S3::Bucket contains the following:
{
"Properties" : {
"BucketName" : "Example-Bucket-Name",
"BucketEncryption" : {
"BucketKeyEnabled" : true,
"ServerSideEncryptionByDefault" : {
"KMSMasterKeyID" : "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
}
}
}
JSON Example Configuration¶
{
"Type" : "AWS::S3::Bucket",
"Properties" : {
"BucketName" : "Example-Bucket-Name",
"BucketEncryption" : {
"BucketKeyEnabled" : true,
"ServerSideEncryptionByDefault" : {
"KMSMasterKeyID" : "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
}
}
# other required fields here
}
YAML¶
Ensure that AWS::S3::Bucket contains the following:
Properties:
BucketName: Example-Bucket-Name
BucketEncryption:
BucketKeyEnabled: true
ServerSideEncryptionByDefault:
KMSMasterKeyID: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
YAML Example Configuration¶
Type: 'AWS::S3::Bucket'
Properties:
BucketName: Example-Bucket-Name
BucketEncryption:
BucketKeyEnabled: true
ServerSideEncryptionByDefault:
KMSMasterKeyID: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
# other required fields here
Terraform¶
Ensure that the aws_s3_bucket has a
server_side_encryption_configuration
block with arule
defined.
Example Configuration¶
resource "aws_kms_key" "mykey" {
# other required fields here
}
resource "aws_s3_bucket" "bucket" {
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = "${aws_kms_key.mykey.arn}"
sse_algorithm = "aws:kms"
}
}
}
# other required fields here
}