2.1.1 Ensure all S3 buckets employ encryption-at-rest

Information

Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest.

Rationale:

Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.

Impact:

Amazon S3 buckets with default bucket encryption using SSE-KMS cannot be used as destination buckets for Amazon S3 server access logging. Only SSE-S3 default encryption is supported for server access log destination buckets.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From Console:

Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/

Select the Check box next to the Bucket.

Click on 'Properties'.

Click on Default Encryption.

Select either AES-256 or AWS-KMS

Click Save

Repeat for all the buckets in your AWS account lacking encryption.

From Command Line:
Run either

aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{'Rules': [{'ApplyServerSideEncryptionByDefault': {'SSEAlgorithm': 'AES256'}}]}'

or

aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{'Rules': [{'ApplyServerSideEncryptionByDefault': {'SSEAlgorithm': 'aws:kms','KMSMasterKeyID': 'aws/s3'}}]}'

Note: the KMSMasterKeyID can be set to the master key of your choosing; aws/s3 is an AWS preconfigured default.

See Also

https://workbench.cisecurity.org/files/3416

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|14.8

Plugin: amazon_aws

Control ID: 01c3ac4c08e3ce933faaf4c4c9722f33d208e6103586b546f341148aaf2ce07b