Ensure S3 bucket encryption 'kms_master_key_id' is not empty or null

HIGH

Description

Description:

Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest.

Rationale:

Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.

Remediation

From Console:

Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
Select the Check box next to the Bucket.
Click on 'Properties'.
Click on 'Default Encryption'.
Select either 'AES-256' or 'AWS-KMS'
Click 'Save'
Repeat for all the buckets in your AWS account lacking encryption.

From Command Line:

Run either

aws s3api put-bucket-encryption --bucket --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}'

aws s3api put-bucket-encryption --bucket --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "aws:kms","KMSMasterKeyID": "aws/s3"}}]}'

Note: the KMSMasterKeyID can be set to the master key of your choosing; aws/s3 is an AWS preconfigured default.

Policy Details

Rule Reference ID: AC_AWS_0207

CSP: AWS

Remediation Available: Yes

Domain: Data Protection

Resource: aws_s3_bucket

Resource Category: Storage

Resource Type: S3 Bucket

Frameworks

CIS Amazon Web Services Foundations v1.3.0 Level 2
CIS Amazon Web Services Foundations v1.4.0 Level 2
NIST-CSF
NIST-800-53
PCI-DSS
GDPR
ISO-27001
SOC2
CCM
WELL-ARCH

Detections

Analytics