Information
Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest.
Rationale:
Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.
Impact:
Amazon S3 buckets with default bucket encryption using SSE-KMS cannot be used as destination buckets for Amazon S3 server access logging. Only SSE-S3 default encryption is supported for server access log destination buckets.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
From Console:
Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
Select a Bucket.
Click on 'Properties'.
Click edit on Default Encryption.
Select either AES-256, AWS-KMS, SSE-KMS or SSE-S3.
Click Save
Repeat for all the buckets in your AWS account lacking encryption.
From Command Line:
Run either
aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{'Rules': [{'ApplyServerSideEncryptionByDefault': {'SSEAlgorithm': 'AES256'}}]}'
or
aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{'Rules': [{'ApplyServerSideEncryptionByDefault': {'SSEAlgorithm': 'aws:kms','KMSMasterKeyID': 'aws/s3'}}]}'
Note: the KMSMasterKeyID can be set to the master key of your choosing; aws/s3 is an AWS preconfigured default.