S3 bucket server-side encryption should be enabled¶

Description¶

Enabling server-side encryption (SSE) on S3 buckets at the object level protects data at rest and helps prevent the breach of sensitive information assets. Objects can be encrypted with S3 Managed Keys (SSE-S3), KMS Managed Keys (SSE-KMS), or Customer Provided Keys (SSE-C).

Remediation Steps¶

AWS Console¶

Repeat these steps for all impacted S3 buckets.
- Navigate to S3.
- Select the S3 bucket.
- Select the Properties tab.
- Select Default Encryption.
- Select either AES-256 or AWS-KMS encryption and click Save.

AWS CLI¶

Enable AES Encryption on an S3 Bucket:
- aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}'
Enable KMS Encryption on an S3 Bucket:
- aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms","KMSMasterKeyID":"<key id>"}}]}'

CloudFormation¶

JSON¶

Ensure that AWS::S3::Bucket contains the following:

{
  "Properties" : {
    "BucketName" : "Example-Bucket-Name",
    "BucketEncryption" : {
      "BucketKeyEnabled" : true,
      "ServerSideEncryptionByDefault" : {
        "KMSMasterKeyID" : "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
        }
    }
  }
}

JSON Example Configuration¶

{
  "Type" : "AWS::S3::Bucket",
  "Properties" : {
    "BucketName" : "Example-Bucket-Name",
    "BucketEncryption" : {
      "BucketKeyEnabled" : true,
      "ServerSideEncryptionByDefault" : {
        "KMSMasterKeyID" : "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
        }
      }
    }
  # other required fields here
}

YAML¶

Ensure that AWS::S3::Bucket contains the following:

Properties:
  BucketName: Example-Bucket-Name
  BucketEncryption:
    BucketKeyEnabled: true
    ServerSideEncryptionByDefault:
      KMSMasterKeyID: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

YAML Example Configuration¶

Type: 'AWS::S3::Bucket'
Properties:
  BucketName: Example-Bucket-Name
  BucketEncryption:
    BucketKeyEnabled: true
    ServerSideEncryptionByDefault:
      KMSMasterKeyID: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
# other required fields here

Terraform¶

Ensure that the aws_s3_bucket has a server_side_encryption_configuration block with a rule defined.

Example Configuration¶

resource "aws_kms_key" "mykey" {
  # other required fields here
}

resource "aws_s3_bucket" "bucket" {
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "${aws_kms_key.mykey.arn}"
        sse_algorithm     = "aws:kms"
      }
    }
  }
  # other required fields here
}

S3 bucket server-side encryption should be enabled¶

Description¶

Remediation Steps¶

AWS Console¶

AWS CLI¶

CloudFormation¶

JSON¶

JSON Example Configuration¶

YAML¶

YAML Example Configuration¶

Terraform¶

Example Configuration¶

Documentation Links¶

Runtime¶

CloudFormation¶

Terraform¶