Ensure S3 bucket encryption 'kms_master_key_id' is not empty or null - Terraform Version 1.x

HIGH

Description

Description:

Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest.

Rationale:

Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.

Remediation

From Console:

Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
Select the Check box next to the Bucket.
Click on 'Properties'.
Click on Default Encryption.
Select either AES-256 or AWS-KMS
Click Save
Repeat for all the buckets in your AWS account lacking encryption.

From Command Line:

Run either

aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}'

aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "aws:kms","KMSMasterKeyID": "aws/s3"}}]}'

Note: the KMSMasterKeyID can be set to the master key of your choosing; aws/s3 is an AWS preconfigured default.

Policy Details

Rule Reference ID: S3_AWS_0003

CSP: AWS

Remediation Available: Yes

Domain: Data Protection

Resource: aws_s3_bucket

Resource Category: Storage

Resource Type: S3 Bucket

Frameworks

CIS Amazon Web Services Foundations v1.3.0 Level 2
CIS Amazon Web Services Foundations v1.4.0 Level 2
NIST-CSF
NIST-800-53
PCI-DSS
GDPR
ISO-27001
SOC2
CCM
WELL-ARCH

Detections

Analytics