S3 bucket server-side encryption should be enabled

Description

Enabling server-side encryption (SSE) on S3 buckets at the object level protects data at rest and helps prevent the breach of sensitive information assets. Objects can be encrypted with S3 Managed Keys (SSE-S3), KMS Managed Keys (SSE-KMS), or Customer Provided Keys (SSE-C).

Remediation Steps

AWS Console

  • Repeat these steps for all impacted S3 buckets.

    • Navigate to S3.

    • Select the S3 bucket.

    • Select the Properties tab.

    • Select Default Encryption.

    • Select either AES-256 or AWS-KMS encryption and click Save.

AWS CLI

  • Enable AES Encryption on an S3 Bucket:

    • aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}'

  • Enable KMS Encryption on an S3 Bucket:

    • aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms","KMSMasterKeyID":"<key id>"}}]}'

CloudFormation

JSON

{
  "Properties" : {
    "BucketName" : "Example-Bucket-Name",
    "BucketEncryption" : {
      "BucketKeyEnabled" : true,
      "ServerSideEncryptionByDefault" : {
        "KMSMasterKeyID" : "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
        }
    }
  }
}
JSON Example Configuration
{
  "Type" : "AWS::S3::Bucket",
  "Properties" : {
    "BucketName" : "Example-Bucket-Name",
    "BucketEncryption" : {
      "BucketKeyEnabled" : true,
      "ServerSideEncryptionByDefault" : {
        "KMSMasterKeyID" : "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
        }
      }
    }
  # other required fields here
}

YAML

Properties:
  BucketName: Example-Bucket-Name
  BucketEncryption:
    BucketKeyEnabled: true
    ServerSideEncryptionByDefault:
      KMSMasterKeyID: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
YAML Example Configuration
Type: 'AWS::S3::Bucket'
Properties:
  BucketName: Example-Bucket-Name
  BucketEncryption:
    BucketKeyEnabled: true
    ServerSideEncryptionByDefault:
      KMSMasterKeyID: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
# other required fields here

Terraform

  • Ensure that the aws_s3_bucket has a server_side_encryption_configuration block with a rule defined.

Example Configuration

resource "aws_kms_key" "mykey" {
  # other required fields here
}

resource "aws_s3_bucket" "bucket" {
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "${aws_kms_key.mykey.arn}"
        sse_algorithm     = "aws:kms"
      }
    }
  }
  # other required fields here
}